Very Computer

How do I prevent ftp users (virtual hosts) from going up one
directory/escaping their own directory? I don't want them to able to browse
through all the files on the server.

I tried chmodding several files but nothing seems to result into what I
want.

Listing of ftp user directory:

%ls -la
total 11
drwxr-xr-x 2 user user 512 Feb 6 21:02 .
drwxr-xr-x 6 root wheel 512 Feb 9 03:32 ..
-rw-r--r-- 1 user user 508 Feb 6 12:36 .cshrc
-rw------- 1 user user 406 Feb 6 22:21 .history
-rw-r--r-- 1 user user 592 Feb 6 12:36 .login
-rw-r--r-- 1 user user 160 Feb 6 12:36 .login_conf
-rw------- 1 user user 371 Feb 6 12:36 .mail_aliases
-rw-r--r-- 1 user user 331 Feb 6 12:36 .mailrc
-rw-r--r-- 1 user user 722 Feb 6 12:36 .profile
-rw------- 1 user user 276 Feb 6 12:36 .rhosts
-rw-r--r-- 1 user user 832 Feb 6 12:36 .shrc
lrwx------ 1 root user 32 Feb 8 19:55 www ->
/usr/local/www/vhosts/domain.com

Regards,

Digiman

Quote:> How do I prevent ftp users (virtual hosts) from going up one
> directory/escaping their own directory? I don't want them to able to
browse
> through all the files on the server.

> I tried chmodding several files but nothing seems to result into what I
> want.

> Listing of ftp user directory:

> %ls -la
> total 11
> drwxr-xr-x 2 user user 512 Feb 6 21:02 .
> drwxr-xr-x 6 root wheel 512 Feb 9 03:32 ..
> -rw-r--r-- 1 user user 508 Feb 6 12:36 .cshrc
> -rw------- 1 user user 406 Feb 6 22:21 .history
> -rw-r--r-- 1 user user 592 Feb 6 12:36 .login
> -rw-r--r-- 1 user user 160 Feb 6 12:36 .login_conf
> -rw------- 1 user user 371 Feb 6 12:36 .mail_aliases
> -rw-r--r-- 1 user user 331 Feb 6 12:36 .mailrc
> -rw-r--r-- 1 user user 722 Feb 6 12:36 .profile
> -rw------- 1 user user 276 Feb 6 12:36 .rhosts
> -rw-r--r-- 1 user user 832 Feb 6 12:36 .shrc
> lrwx------ 1 root user 32 Feb 8 19:55 www ->
> /usr/local/www/vhosts/domain.com

I was told I should edit the proftpd.conf file...anyone know what to do
exactly?

Help is really appreciated

Digiman

Look at the file, and either add or modify so a line reads:
DefaultRoot ~

This should chroot() to their home directory.

Regards,
   Jeff Davis

Quote:> Look at the file, and either add or modify so a line reads:
> DefaultRoot ~

> This should chroot() to their home directory.

Thanks for your help!

I want to chroot() them in their webdirectory, which looks like
/usr/local/www/vhosts/domain.com

I did this like this:

<Virtualhost domain.com>
DefaultRoot /usr/local/www/vhosts/domain.com ftpusername
</Virtualhost>

But now I have to do this for every vhost, which will end up being a long
list.
Is there an easier way to do this?

You only need 1 line (DefaultRoot ~  )to chroot all your users to their home
directory.
Is it possible to create something like that but then chroot them to their
webdirectory?

Regards,

Digiman

unfortunately, no. The home directory is the only magic option like that.
You would probably want to make a quick perl script to edit the file for
you, rather than typing it out. I would also like to point you to
http://proftpd.org where they have a link to their documentation, which
may contain a feature to help you.

you can make the root something like:
DefaultRoot ~/my_ftp_dir    # chroot() to their home directory's
subdirectory "my_ftp_dir"

however. It might also make sense for you to set their home directory
where there files are, why is their home in a directory they can't even
access with ftp? I might suggest moving your users to /home or setting
the home directory of your users to the place their files are currently,
unless you have a reason not to.

Hope it helps,
   Jeff

Quote:> you can make the root something like:
> DefaultRoot ~/my_ftp_dir    # chroot() to their home directory's
> subdirectory "my_ftp_dir"

Well the problem is that they should upload their website in the following
folders:

/usr/local/www/vhosts/domain.com

instead of usr/home/username

First I thought this worked:

Oops, didn't mean to do that, ok here is the full post..

Quote:> you can make the root something like:
> DefaultRoot ~/my_ftp_dir    # chroot() to their home directory's
> subdirectory "my_ftp_dir"

Well the problem is that they should upload their website in the following
folders:

/usr/local/www/vhosts/domain.com

instead of usr/home/username

First I thought this worked:

<Virtualhost domain.com>
DefaultRoot /usr/local/www/vhosts/domain.com ftpusername
</Virtualhost>

But it doesn't work.
How can I send each ftp user to it's own webdirectory when he logs in with
ftp?
Do I have to create a group for every user?

I read the docs at proftpd.org, but I couldn't really find what I needed.

I'm a unix newbie, sorry!

Regards,

Digiman

Have you considered inverting the problem to match the solution? Apache
doesn't care where the virtual host directories are and you can make each
one a subdir of the user's home dir (~user/domain.com) and tell Apache
where it is. As long as the dir and its contents are world readable the
site will work and the normal restrictions that can be applied to FTP
session will work.

--
The instructions said to use Windows 98 or better, so I installed FreeBSD.

According to the docs, it looks like your plan would work, unless the
group 'ftpusername' doesn't exist (I think it has to be a group). You
don't even really need a group expression, just do:

<Virtualhost domain.com>
DefaultRoot /usr/local/www/vhosts/domain.com
</Virtualhost>

I think that will work, anyone that logs in to that domain will be restricted to the directory.

Again, I have to ask, why may a user not upload into his home directory? I think I understand what you did, but it is somewhat unusual to have a home directory that is inaccessible to the user. I might suggest changing the user's home to the area in which they should be chroot()ed, or changing their web directory to a subdirectory of their home. That way the 'DefaultRoot ~' will work just fine, and it will allow users the flexibility of using their 'HOME' environment variable (which seems to be used by a lot of software).

Nothing to be sorry about... a unix newbie is infinately better than a unix never-was, and everyone has to learn anyway. I am new to FreeBSD, but have used linux for a while.

Regards,
        Jeff Davis

How about making a symbolic link in the user's home directory to their web
directory, or you could make the user's home directory the web directory.

Dunno the security ramifications of doing this though.

Hope that gives you a few ideas.

Quote:> How do I prevent ftp users (virtual hosts) from going up one
> directory/escaping their own directory? I don't want them to able to
browse
> through all the files on the server.

> I tried chmodding several files but nothing seems to result into what I
> want.

> Listing of ftp user directory:

> %ls -la
> total 11
> drwxr-xr-x 2 user user 512 Feb 6 21:02 .
> drwxr-xr-x 6 root wheel 512 Feb 9 03:32 ..
> -rw-r--r-- 1 user user 508 Feb 6 12:36 .cshrc
> -rw------- 1 user user 406 Feb 6 22:21 .history
> -rw-r--r-- 1 user user 592 Feb 6 12:36 .login
> -rw-r--r-- 1 user user 160 Feb 6 12:36 .login_conf
> -rw------- 1 user user 371 Feb 6 12:36 .mail_aliases
> -rw-r--r-- 1 user user 331 Feb 6 12:36 .mailrc
> -rw-r--r-- 1 user user 722 Feb 6 12:36 .profile
> -rw------- 1 user user 276 Feb 6 12:36 .rhosts
> -rw-r--r-- 1 user user 832 Feb 6 12:36 .shrc
> lrwx------ 1 root user 32 Feb 8 19:55 www ->
> /usr/local/www/vhosts/domain.com

> Regards,

> Digiman