How do Virtual Hosting services restrict access to ftp only?

How do Virtual Hosting services restrict access to ftp only?

Post by Robert Chalmer » Tue, 17 Oct 2000 04:00:00



How do VirtualHosting services restrict access to ftp only?  The users must
still be in the password file right? But how does this stop users from
travessing the directory trees to other places on the system?

Anyone doing this, or know how its done?

Thanks
Robert

 
 
 

How do Virtual Hosting services restrict access to ftp only?

Post by Bill Vermilli » Tue, 17 Oct 2000 04:00:00




>How do VirtualHosting services restrict access to ftp only? The
>users must still be in the password file right? But how does this
>stop users from travessing the directory trees to other places on
>the system?
>Anyone doing this, or know how its done?

It's done very carefully :-)

Try   man ftpd   and look for the word 'chroot'.

--


 
 
 

How do Virtual Hosting services restrict access to ftp only?

Post by Robert Chalmer » Wed, 18 Oct 2000 08:27:41





> >How do VirtualHosting services restrict access to ftp only? The
> >users must still be in the password file right? But how does this
> >stop users from travessing the directory trees to other places on
> >the system?

> >Anyone doing this, or know how its done?

> It's done very carefully :-)

> Try   man ftpd   and look for the word 'chroot'.

So you mean, that according to this - that EVERY user has their own
directory tree set up like the anonymous ftp user! etc and bin directories,
a mini password file etc!

           4.   If the user name appears in the file /etc/ftpchroot the ses-
                sion's root will be changed to the user's login directory by
                chroot(2) as for an ``anonymous'' or ``ftp'' account (see
next
                item).  However, the user must still supply a password.
This
                feature is intended as a compromise between a fully
anonymous
                account and a fully privileged account.  The account should
                also be set up as for an anonymous account.
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ????

Sounds like an unworkable solution to me.
Bob

 
 
 

How do Virtual Hosting services restrict access to ftp only?

Post by Bill Vermilli » Wed, 18 Oct 2000 04:00:00







>> >How do VirtualHosting services restrict access to ftp only? The
>> >users must still be in the password file right? But how does this
>> >stop users from travessing the directory trees to other places on
>> >the system?
>> >Anyone doing this, or know how its done?
>> It's done very carefully :-)

>> Try   man ftpd   and look for the word 'chroot'.
>So you mean, that according to this - that EVERY user has their
>own directory tree set up like the anonymous ftp user! etc and bin
>directories, a mini password file etc!

You only need the password file is they need to see the names of
other users. But since they are logged into their own directory they
don't need those. You can then put whatever they need in their own
bin and etc directories. As for the files they would need in their
own bin or etc you could probably put them in one file with links to
the names of the programs as in the /stand directory. . {gawd - I'm
embarrased to say I forgot the name of the program which does this
for the files in the /stand directory}

That way you could just copy one file in to a directory and expand
the links.  Anything that goes in their home directory could be
added to /usr/share/skel.  I have an index.html along with the
dot.xxxx files to put in a generic holding html for their website
until they bring that up.

Quote:>This
>                feature is intended as a compromise between a fully
>anonymous
>                account and a fully privileged account.  The account should
>                also be set up as for an anonymous account.
>               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ????

[woops - deleted the line where you said it was unworkable]

I guess it depends on how much you want to automate and how
far you want to restrict people.

--

 
 
 

How do Virtual Hosting services restrict access to ftp only?

Post by Robert Chalmer » Thu, 19 Oct 2000 04:00:00


Thanks Bill,
I had a playaround with it. It actually works pretty well for just ftp -
which is all I want it to do. The only directory I need is /bin, with ls in
it, as I cant find the sources now to recomple ftpd with the built in 'ls'
I'm on a 2.2 machine, and I deleted the /usr/src tree long ago apart from
the sys part of it.

When I find that, I wont even need /bin. The others dont matter as you say.
So the result is that the user is restricted to their own directory - and no
where else.

Now to find out how to add a user from the script, but NOT have it use the
users name as the direcrtory name. !!!

Thanks for pointing me in the right direction ,

cheers
Bob

> >So you mean, that according to this - that EVERY user has their
> >own directory tree set up like the anonymous ftp user! etc and bin
> >directories, a mini password file etc!

> You only need the password file is they need to see the names of
> other users. But since they are logged into their own directory they
> don't need those. You can then put whatever they need in their own
> bin and etc directories. As for the files they would need in their
> own bin or etc you could probably put them in one file with links to
> the names of the programs as in the /stand directory. . {gawd - I'm
> embarrased to say I forgot the name of the program which does this
> for the files in the /stand directory}

> That way you could just copy one file in to a directory and expand
> the links.  Anything that goes in their home directory could be
> added to /usr/share/skel.  I have an index.html along with the
> dot.xxxx files to put in a generic holding html for their website
> until they bring that up.

> >This
> >                feature is intended as a compromise between a fully
> >anonymous
> >                account and a fully privileged account.  The account
should
> >                also be set up as for an anonymous account.
> >               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
????

> [woops - deleted the line where you said it was unworkable]

> I guess it depends on how much you want to automate and how
> far you want to restrict people.

> --


 
 
 

How do Virtual Hosting services restrict access to ftp only?

Post by Tim Kientzl » Thu, 19 Oct 2000 04:00:00


man chroot

In essence, the FTP server temporarily hides the entire
disk except for a specific directory tree.  This is
a very powerful security tool.

Also, remember that any request you make is actually
processed by the FTP server program; it is possible (at least
in theory) for the FTP server to simply pretend that
only certain directories exist.

                        - Tim


> How do VirtualHosting services restrict access to ftp only?  The users must
> still be in the password file right? But how does this stop users from
> travessing the directory trees to other places on the system?

> Anyone doing this, or know how its done?

> Thanks
> Robert

 
 
 

1. Apache 1.3b2: Default Host and all virtual hosts serve only first virtual hosts pages?

Hello.

Have been running 1.2b8 for a intranet and decided to move upto 1.3b2. I
have several name based virtual hosts that have been working under
1.2b8. After compiling and installing 1.3b2 my virtual hosts do not
work. In fact what happens is that even though DocumentRoot and default
server name is different, eg: www.serverA.net pointing to /www/default,
Apache 1.3b2 will always take me to the first defined virtual host as if
it's locked to it no matter what virtual host I try to browse. What
gives? Please post and E-Mail.

In /etc/hosts for my machines IP address I have

A.B.C.D         www.default.net www.virtA.net www.virtB.net

In ../conf/httpd.conf I have;

<VirtualHost www.virtA.net>

DocumentRoot /usr/local/www/virtA
ServerName www.virtA.net
ErrorLog logs/virtA.error.log
TransferLog logs/virtA.access.log
</VirtualHost>

<VirtualHost www.virtB.net>

DocumentRoot /usr/local/www/virtB
ServerName www.virtB.net
ErrorLog logs/virtB.error.log
TransferLog logs/virtB.access.log
</VirtualHost>

--

2. direct connection between PCs - help anyone?

3. Name Based Virtual Hosting - Unable to access Virtual domain from IE/Lynx

4. advfs adding a new volume

5. Virtual Servers: WWW, FTP, POP, SMTP, SSL capable (not simply Virtual Hosting)

6. video card DC...

7. Is there anyway of restricting TCP service to certain hosts only?

8. Apache upgrade - quick question

9. FrontPage virtual hosting, removal or reset of virtual host

10. : How to prevent one named virtual host from "seeing" another virtual hosts files ?

11. Mixing Apache Name Based Virtual Hosts and SSL Virtual Host

12. For Discussion: web virtual hosting vs mail virtual hosting

13. iptables config for NAT and restricted access to services from outside