[thelist] unix acl help
Dean Mah
dean.mah at gmail.com
Thu Dec 20 09:24:47 CST 2007
Robert O'Rourke wrote:
> Hello,
>
> I'm stuck faffing around with file permissions for an ftp server i
> just set up on one of our redhat boxes. While all the permissions are
> pretty much there I'm struggling to understand the documentation I can
> find on ACLs. Basically I want to deny a user access to see or even list
> ANY directory other than their home directory. I already have the chroot
> jail thing set up AFAIK (using vsftpd) but it doesn't seem to stop the
> ftp user from being able to see and download files in most of the rest
> of the file system.
> Can I use ACL to block the individual user from seeing anything
> outside the /home/ftp/username directory? Also I'd like to do the same
> for the ftp-user group but limit that to /home/ftp...
>
> Please can anyone point me to some entry-level documentation or help
> me out altogether with the commands I need to run?
>
> Cheers,
> Rob
Are you trying to prevent people for accessing subdirectories of their
home directory?
- I don't know if this makes sense. Why would you want to put
subdirectories in a someone else's home directory?
Are users ftp'ing to your server with a given username and password,
i.e., are they local users on the machine?
- You can create users locally, set their home directory to
/home/ftp/username, set their shell to /sbin/nologin, and then add them
to vsftpd.chroot_list. In vsftpd.conf set chroot_list_enable=YES.
- You could set the home directory for all users in the 'ftp-users'
group to /home/ftp and add them to the vsftpd.chroot_list file.
- Adding regular users to vsftpd.chroot_list should prevent them from
leaving their home directory, e.g., /home/username.
Are you allowing anonymous FTP?
- You should already have an underprivileged user like 'ftp'. In
vsftpd.conf set nopriv_user=ftp.
Dean
More information about the thelist
mailing list