I am in the process of setting up a new server. In the process I cannot remember what I need to set so that an FTP user cannot move upward in the directory tree of the user's directory. The FTP server is VSFTP. The user's directory is owned by the user and the permissions are 775. Isn't there a setting in httpd.conf to prevent that? Todd -- Ariste Software 2200 D Street Ext Petaluma, CA 94952 (707) 773-4523
> Subject: [CentOS] Preventing a user from moving "up" directories > > I am in the process of setting up a new server. In the process I cannot > remember what I need to set so that an FTP user cannot move upward in > the directory tree of the user's directory. The FTP server is VSFTP. > The user's directory is owned by the user and the permissions are 775. > > Isn't there a setting in httpd.conf to prevent that? > > Todd >I dunno about httpd.conf yet... In /etc make a file called vsftpd.chroot_list and put the people in it that can ftp in and go up the tree Depending on config, /etc/vsftpd.user_list are typically users that are not allowed to ftp in under any circumstances. Look at the config file and that file to get more info If userlist_deny=NO, only allow users in this file If userlist_deny=YES (default), never allow users in this file, and do not even prompt for a password. Note that the default vsftpd pam config also checks /etc/vsftpd.ftpusers for users that are denied. Then... go into /etc/vsftpd/vsftpd.conf and you should be able to figure out the rest Then at the end of the file mine looks like this... I don't recall where I got the info or if it was intuitive chroot_local_user=YES # chroot_list_enable=YES # (default follows) chroot_list_file=/etc/vsftpd.chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES pam_service_name=vsftpd userlist_enable=YES #enable for standalone mode listen=YES tcp_wrappers=YES as a side note, when I create shell accounts that can only ftp in I usually call the shell /bin/ftponly and I put a reference to it in /etc/shells at the end that way they cannot ssh in or whatever - rh -- Robert - Abba Communications Computer & Internet Services (509) 624-7159 - www.abbacomm.net
Karanbir Singh
2007-Jan-17 12:42 UTC
[CentOS] Preventing a user from moving "up" directories
Todd Cary wrote:> I am in the process of setting up a new server. In the process I cannot > remember what I need to set so that an FTP user cannot move upward in > the directory tree of the user's directory. The FTP server is VSFTP. > The user's directory is owned by the user and the permissions are 775. > > Isn't there a setting in httpd.conf to prevent that?vsftpd does not use httpd.conf for anything. -- Karanbir Singh : http://www.karan.org/ : 2522219 at icq