[thelist] unix acl help

Dean Mah dean.mah at gmail.com
Thu Dec 20 09:24:47 CST 2007


Robert O'Rourke wrote:
> Hello,
> 
>     I'm stuck faffing around with file permissions for an ftp server i 
> just set up on one of our redhat boxes. While all the permissions are 
> pretty much there I'm struggling to understand the documentation I can 
> find on ACLs. Basically I want to deny a user access to see or even list 
> ANY directory other than their home directory. I already have the chroot 
> jail thing set up AFAIK (using vsftpd) but it doesn't seem to stop the 
> ftp user from being able to see and download files in most of the rest 
> of the file system.
>     Can I use ACL to block the individual user from seeing anything 
> outside the /home/ftp/username directory? Also I'd like to do the same 
> for the ftp-user group but limit that to /home/ftp...
> 
>     Please can anyone point me to some entry-level documentation or help 
> me out altogether with the commands I need to run?
> 
> Cheers,
> Rob

Are you trying to prevent people for accessing subdirectories of their
home directory?

- I don't know if this makes sense.  Why would you want to put
subdirectories in a someone else's home directory?

Are users ftp'ing to your server with a given username and password,
i.e., are they local users on the machine?

- You can create users locally, set their home directory to
/home/ftp/username, set their shell to /sbin/nologin, and then add them
to vsftpd.chroot_list.  In vsftpd.conf set chroot_list_enable=YES.

- You could set the home directory for all users in the 'ftp-users'
group to /home/ftp and add them to the vsftpd.chroot_list file.

- Adding regular users to vsftpd.chroot_list should prevent them from
leaving their home directory, e.g., /home/username.

Are you allowing anonymous FTP?

- You should already have an underprivileged user like 'ftp'.  In
vsftpd.conf set nopriv_user=ftp.

Dean




More information about the thelist mailing list