[thelist] unix acl help

David Menzel DavidM at circlebroach.net
Thu Dec 20 11:54:46 CST 2007


What you describe wanting is exactly what chroot is supposed to do. You 
stated that you believe this is setup already, but please check your 
settings on this again. To quote from a previous respondent :

- Adding regular users to vsftpd.chroot_list should prevent them from
leaving their home directory, e.g., /home/username.




Robert O'Rourke wrote:
> Dean Mah wrote:
>   
>> Robert O'Rourke wrote:
>>   
>>     
>>> Hello,
>>>
>>>     I'm stuck faffing around with file permissions for an ftp server i 
>>> just set up on one of our redhat boxes. While all the permissions are 
>>> pretty much there I'm struggling to understand the documentation I can 
>>> find on ACLs. Basically I want to deny a user access to see or even list 
>>> ANY directory other than their home directory. I already have the chroot 
>>> jail thing set up AFAIK (using vsftpd) but it doesn't seem to stop the 
>>> ftp user from being able to see and download files in most of the rest 
>>> of the file system.
>>>     Can I use ACL to block the individual user from seeing anything 
>>> outside the /home/ftp/username directory? Also I'd like to do the same 
>>> for the ftp-user group but limit that to /home/ftp...
>>>
>>>     Please can anyone point me to some entry-level documentation or help 
>>> me out altogether with the commands I need to run?
>>>
>>> Cheers,
>>> Rob
>>>     
>>>       
>> Are you trying to prevent people for accessing subdirectories of their
>> home directory?
>>
>> - I don't know if this makes sense.  Why would you want to put
>> subdirectories in a someone else's home directory?
>>
>>   
>>     
>
> I'm not preventing them from accessing their subdirectories, more the 
> other way around. My client is using filezilla and although I can trust 
> them I just think it would a bit more user friendly if they werent able 
> to browse the main file system eg. /dev /etc /bin and so on. I want '/' 
> to be equivalent to their home directory if that makes sense.
>
>   
>> Are users ftp'ing to your server with a given username and password,
>> i.e., are they local users on the machine?
>>   
>>     
>
> Yes. I set up the user account and set up a group called ftp-users for them.
>
>   
>> - You can create users locally, set their home directory to
>> /home/ftp/username, set their shell to /sbin/nologin, and then add them
>> to vsftpd.chroot_list.  In vsftpd.conf set chroot_list_enable=YES.
>>
>> - You could set the home directory for all users in the 'ftp-users'
>> group to /home/ftp and add them to the vsftpd.chroot_list file.
>>
>> - Adding regular users to vsftpd.chroot_list should prevent them from
>> leaving their home directory, e.g., /home/username.
>>
>>   
>>     
>
> I've the user I'm trying to restrict in there so far. But they can still 
> see the main file structure... I don't get it.
>
>   
>> Are you allowing anonymous FTP?
>>   
>>     
>
> nope
>
>   
>> - You should already have an underprivileged user like 'ftp'.  In
>> vsftpd.conf set nopriv_user=ftp.
>>   
>>     
>
> I have a group called ftp-users that the user account I set up is a 
> member of... should I have used the existing ftp user and group instead 
> of creating the ftp-users group? There's no user called ftp-users 
> because I just used  the groupadd command...
>
>   
>> Dean
>>   
>>     
>
> Cheers Dean,
>
> Rob
>
>   




More information about the thelist mailing list