FTP access

erik100 · February 12, 2011, 3:34pm

Hello,

Is it possible to give user only FTP access / browsing rights for certain directory within /srv/www/htdocs and prevent same user to browse all other directories, even user’s /home directory on that server?

tsu2 · February 12, 2011, 5:48pm

Yes.
Typically in the FTP application, you configure virtual directory access pointing to various actual locations, remembering to enable a setting that sounds something like “Disable Parent Directory Access” or something like that.

HTH,
Tony

erik100 · February 12, 2011, 5:53pm

I need to enable this on local machine /server, I don’t have control over remote FTP client that will be accessing machine / server.
Is there a way to enable it in YAST when creating user or similar?

tsu2 · February 12, 2011, 6:30pm

Typically you first choose and install an FTP application from the OSS which typically supports integration with YAST, then configure with YAST (or the FTP app’s own methods).

You never really care much about what FTP client the remote client is using, the only main consideration before anything else is whether to support Active or PASV FTP if you need to cross firewalls. Active FTP requires only one control and one data port while PASV FTP requires one data port and a range of multiple ports for data.

When the remote User authenticates to your FTP application (presents User credentials), with proper login credentials can be configured to gain access to a virtual directory pointing even to a Home directory. Typically in this case, you use standard credentials for the location, ie local machine or network credentials the User would use if he were to “normally” access that directory. You may want to create a special Security Group to grant more restricted access than usual if you don’t want your FTP users to actually logon locally to your machine.

Tony

erik100 · February 12, 2011, 6:40pm

@Tony

First of all thank you for your help. I’ll try to rephrase the question. I need to disable user to access /root directory?

tsu2 · February 12, 2011, 7:07pm

See my post #2, when you configure a virtual directory without parent directory permissions the User can only browse the virtual directory (virtual root, not system root) and its child directories (assuming credentials are valid for those directories). Never up and over to another branch of the directory tree unless there is a bug in the application which isn’t totally unheard of.

Strictly speaking, this is not a system configuration — It’s an application (FTP Server) configuration.

Think of a virtual file system which is what a virtual directory is, as a layer on top of the physical file system… with its own rules and structure.

Tony

DenverD · February 12, 2011, 9:19pm

On 02/12/2011 07:06 PM, erik100 wrote:

> I need to disable user to access /root directory?

i guess something is wrong with the way you set up your ftpd, because
i’m pretty sure the default install/setup will NOT allow distant
parties to browse outside of the directories you specify for ftp use…

so, maybe you accidentally set it up to allow full system
access…not a good idea…

–
DenverD
CAVEAT: http://is.gd/bpoMD
[NNTP posted w/openSUSE 11.3, KDE4.5.5, Thunderbird3.0.11, nVidia
173.14.28 3D, Athlon 64 3000+]
“It is far easier to read, understand and follow the instructions than
to undo the problems caused by not.” DD 23 Jan 11

tsu2 · February 12, 2011, 10:21pm

Over the years, I’ve sometimes seen various FTP leave this file directory traversal configuration unconfigured.
Unconfigured, it’s anyone’s guess whether directory traversal is possible without actual testing… The problem could be that even if the User doesn’t have clear visibility of browsable directories, if security isn’t explicitly locked down he could guess at locations and of course the Linux directory tree isn’t that much of a mystery.

This is such an important security configuration I wouldn’t leave anything to chance, l highly recommend looking for the configuration and make sure it’s set explicitly.

Tony

robin_listas · February 12, 2011, 11:03pm

On 2011-02-12 21:19, DenverD wrote:
> On 02/12/2011 07:06 PM, erik100 wrote:
>
>> I need to disable user to access /root directory?
>
> i guess something is wrong with the way you set up your ftpd, because
> i’m pretty sure the default install/setup will NOT allow distant
> parties to browse outside of the directories you specify for ftp use…

It does if you setup real, system, users. vsftpd does that.

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)