[CentOS] Preventing a user from moving "up" directories
R Lists06
lists06 at abbacomm.net
Wed Jan 17 06:22:23 UTC 2007
> Subject: [CentOS] Preventing a user from moving "up" directories
>
> I am in the process of setting up a new server. In the process I cannot
> remember what I need to set so that an FTP user cannot move upward in
> the directory tree of the user's directory. The FTP server is VSFTP.
> The user's directory is owned by the user and the permissions are 775.
>
> Isn't there a setting in httpd.conf to prevent that?
>
> Todd
>
I dunno about httpd.conf yet...
In /etc make a file called vsftpd.chroot_list and put the people in it that
can ftp in and go up the tree
Depending on config, /etc/vsftpd.user_list are typically users that are not
allowed to ftp in under any circumstances. Look at the config file and that
file to get more info
If userlist_deny=NO, only allow users in this file
If userlist_deny=YES (default), never allow users in this file, and
do not even prompt for a password.
Note that the default vsftpd pam config also checks /etc/vsftpd.ftpusers
for users that are denied.
Then... go into /etc/vsftpd/vsftpd.conf and you should be able to figure out
the rest
Then at the end of the file mine looks like this... I don't recall where I
got the info or if it was intuitive
chroot_local_user=YES
#
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror"
assume
# the presence of the "-R" option, so there is a strong case for enabling
it.
#ls_recurse_enable=YES
pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
as a side note, when I create shell accounts that can only ftp in I usually
call the shell /bin/ftponly and I put a reference to it in /etc/shells at
the end
that way they cannot ssh in or whatever
- rh
--
Robert - Abba Communications
Computer & Internet Services
(509) 624-7159 - www.abbacomm.net
More information about the CentOS
mailing list