User access problems via ProFtpd in Centos 5.7 x64

Discussion in 'Server Operation' started by daseagle, Apr 12, 2012.

  1. daseagle

    daseagle New Member

    Hello!

    It all started with the need to provide sftp access to various users. I managed to install Proftpd and it everything works as needed, except the user access control. It is quite possible that something outside proftpd is the problem and I'm missing it.


    I have the following setup:

    Several websites, all located as follows:

    /var/www/html/site1
    /var/www/html/site2
    /var/www/html/site2/subdomain_site2

    I need to provide access as follows:

    User1 full read/write to /var/www/html
    User2 full read/write to /var/www/html/site1
    User3 full read/write to /var/www/html/site2/subdomain_site2

    All these users need to be restricted to their directories, without being able to cd or ls outside their place.
    -----------

    Edit: for some reason I seem have two proftpd configuration files. One is /etc/proftpd.vhosts.conf and the other is in /usr/etc/proftpd.conf . Kind lost me here, which one am I supposed to edit?

    Also, isn't it possible to achieve the lock down effect I'm chasing via /etc/security/chroot.conf ? Which one would be easier?
     
    Last edited: Apr 12, 2012
  2. falko

    falko Super Moderator

    You can use the
    Code:
    DefaultRoot ~
    directive in your proftpd.conf to lock users to their home directories.

    What's the output of
    Code:
    updatedb
    locate proftpd.conf
    ?
     
  3. daseagle

    daseagle New Member

    [root@server1 ~]# locate proftpd.conf
    /etc/proftpd.conf.rpmsave
    /etc/fail2ban/filter.d/proftpd.conf
    /usr/etc/proftpd.conf

    --------

    The Defaultroot ~ directive is present and uncommented in /usr/etc/proftpd.conf file.

    --------

    The user that is connecting via sftp has its home directory as /var/www/html , but it is able for some reason to freely roam around much of the filesystem.

    Just found out something, maybe this will provide a clue: if I log in via FTP, I mean classic FTP, it does lock me into my home directory and I can't browse any upper level. It looks like the problem only shows up when I'm using SFTP. Unfortunately SFTP is an absolute must in my situation.

    Kinda makes me wonder, if my problem isn't buried somewhere in sshd rather than the ftp part itself. Unfortunately I can't really tell :(

    I ran across some articles speaking about easy chroot option introduced into Openssh, which require version 4.9p (I have 4.3.o2). Yum update did not find any updates, so I guess the needed mirrors are not present in my config and I'm wary of updating it manually since I'm not near the server during the weekend and I'd hate to break something.

    --------

    The server is pretty much based on your tutorials (many deep thanks for those!) - except the proftpd part.
     
    Last edited: Apr 14, 2012
  4. falko

    falko Super Moderator

    Does the user use SFTP or FTPS? The first has nothing to do with FTP (therefore it's independent from ProFTPd).

    How did you install ProFTPd? I wonder why there's no /etc/proftpd.conf...
     
  5. daseagle

    daseagle New Member

    Confused here :(

    I guess I'm using SFTP since its connecting over the same port as ssh. Btw, there seems to be a lot of confusion on the net as to which one is which :p

    I installed Proftpd all by myself, downloaded it from proftpd.org, compiled, made it work. And it does work too, since via normal ftp the server greets me with the custom message I set and all that.

    I did not know that SFTP is independent and not related to proftpd. I did wonder about it though, I just don't have the knowledge yet. I guess this means that I can just go ahead and remove it?

    It still leaves my original problem :)

    --

    Late night edit: while I was at it, I managed to update OpenSsh to 5.8. Server still works after restart :p

    I tried playing around with what you wrote here, but after restarting sshd my sftp client would not connect.

    If you want to, you can close / kill this thread, since it is painfully obvious (even) to me that my problem is actually hidden in sshd and permissions and it has nothing to do with proftpd.

    I just need 2 basic things: SFTP and a way for three users to write into 3 places, all under var/www/html. Can anyone help me achieve this in a reasonable time-frame?

    -----------------

    SOLVED.

    1. Created the sftponly group.

    2. Created a user that is located in /home/user1. Chowned recursively to root:root.

    3. Mounted the /var/www/html/site1 directory to the /home/user1/site1 directory. Then to permit write access, I chowned recursively the /home/user1/site1 directory.

    http://ubuntuforums.org/showthread.php?t=858475 - this helps a lot. The part with the force user login directory is a must.
     
    Last edited: Apr 16, 2012

Share This Page