[thelist] unix acl help

Robert O'Rourke rob at sanchothefat.com
Thu Dec 20 11:23:27 CST 2007


Dean Mah wrote:
> Robert O'Rourke wrote:
>   
>> Hello,
>>
>>     I'm stuck faffing around with file permissions for an ftp server i 
>> just set up on one of our redhat boxes. While all the permissions are 
>> pretty much there I'm struggling to understand the documentation I can 
>> find on ACLs. Basically I want to deny a user access to see or even list 
>> ANY directory other than their home directory. I already have the chroot 
>> jail thing set up AFAIK (using vsftpd) but it doesn't seem to stop the 
>> ftp user from being able to see and download files in most of the rest 
>> of the file system.
>>     Can I use ACL to block the individual user from seeing anything 
>> outside the /home/ftp/username directory? Also I'd like to do the same 
>> for the ftp-user group but limit that to /home/ftp...
>>
>>     Please can anyone point me to some entry-level documentation or help 
>> me out altogether with the commands I need to run?
>>
>> Cheers,
>> Rob
>>     
>
> Are you trying to prevent people for accessing subdirectories of their
> home directory?
>
> - I don't know if this makes sense.  Why would you want to put
> subdirectories in a someone else's home directory?
>
>   

I'm not preventing them from accessing their subdirectories, more the 
other way around. My client is using filezilla and although I can trust 
them I just think it would a bit more user friendly if they werent able 
to browse the main file system eg. /dev /etc /bin and so on. I want '/' 
to be equivalent to their home directory if that makes sense.

> Are users ftp'ing to your server with a given username and password,
> i.e., are they local users on the machine?
>   

Yes. I set up the user account and set up a group called ftp-users for them.

> - You can create users locally, set their home directory to
> /home/ftp/username, set their shell to /sbin/nologin, and then add them
> to vsftpd.chroot_list.  In vsftpd.conf set chroot_list_enable=YES.
>
> - You could set the home directory for all users in the 'ftp-users'
> group to /home/ftp and add them to the vsftpd.chroot_list file.
>
> - Adding regular users to vsftpd.chroot_list should prevent them from
> leaving their home directory, e.g., /home/username.
>
>   

I've the user I'm trying to restrict in there so far. But they can still 
see the main file structure... I don't get it.

> Are you allowing anonymous FTP?
>   

nope

> - You should already have an underprivileged user like 'ftp'.  In
> vsftpd.conf set nopriv_user=ftp.
>   

I have a group called ftp-users that the user account I set up is a 
member of... should I have used the existing ftp user and group instead 
of creating the ftp-users group? There's no user called ftp-users 
because I just used  the groupadd command...

> Dean
>   

Cheers Dean,

Rob




More information about the thelist mailing list