Subject: [CentOS] Preventing a user from moving "up" directories
I am in the process of setting up a new server. In the process I cannot remember what I need to set so that an FTP user cannot move upward in the directory tree of the user's directory. The FTP server is VSFTP. The user's directory is owned by the user and the permissions are 775.
Isn't there a setting in httpd.conf to prevent that?
Todd
I dunno about httpd.conf yet...
In /etc make a file called vsftpd.chroot_list and put the people in it that can ftp in and go up the tree
Depending on config, /etc/vsftpd.user_list are typically users that are not allowed to ftp in under any circumstances. Look at the config file and that file to get more info
If userlist_deny=NO, only allow users in this file If userlist_deny=YES (default), never allow users in this file, and do not even prompt for a password. Note that the default vsftpd pam config also checks /etc/vsftpd.ftpusers for users that are denied.
Then... go into /etc/vsftpd/vsftpd.conf and you should be able to figure out the rest
Then at the end of the file mine looks like this... I don't recall where I got the info or if it was intuitive
chroot_local_user=YES # chroot_list_enable=YES # (default follows) chroot_list_file=/etc/vsftpd.chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES
pam_service_name=vsftpd userlist_enable=YES #enable for standalone mode listen=YES tcp_wrappers=YES
as a side note, when I create shell accounts that can only ftp in I usually call the shell /bin/ftponly and I put a reference to it in /etc/shells at the end
that way they cannot ssh in or whatever
- rh
-- Robert - Abba Communications Computer & Internet Services (509) 624-7159 - www.abbacomm.net