[thelist] unix acl help
Robert O'Rourke
rob at sanchothefat.com
Thu Dec 20 11:23:27 CST 2007
Dean Mah wrote:
> Robert O'Rourke wrote:
>
>> Hello,
>>
>> I'm stuck faffing around with file permissions for an ftp server i
>> just set up on one of our redhat boxes. While all the permissions are
>> pretty much there I'm struggling to understand the documentation I can
>> find on ACLs. Basically I want to deny a user access to see or even list
>> ANY directory other than their home directory. I already have the chroot
>> jail thing set up AFAIK (using vsftpd) but it doesn't seem to stop the
>> ftp user from being able to see and download files in most of the rest
>> of the file system.
>> Can I use ACL to block the individual user from seeing anything
>> outside the /home/ftp/username directory? Also I'd like to do the same
>> for the ftp-user group but limit that to /home/ftp...
>>
>> Please can anyone point me to some entry-level documentation or help
>> me out altogether with the commands I need to run?
>>
>> Cheers,
>> Rob
>>
>
> Are you trying to prevent people for accessing subdirectories of their
> home directory?
>
> - I don't know if this makes sense. Why would you want to put
> subdirectories in a someone else's home directory?
>
>
I'm not preventing them from accessing their subdirectories, more the
other way around. My client is using filezilla and although I can trust
them I just think it would a bit more user friendly if they werent able
to browse the main file system eg. /dev /etc /bin and so on. I want '/'
to be equivalent to their home directory if that makes sense.
> Are users ftp'ing to your server with a given username and password,
> i.e., are they local users on the machine?
>
Yes. I set up the user account and set up a group called ftp-users for them.
> - You can create users locally, set their home directory to
> /home/ftp/username, set their shell to /sbin/nologin, and then add them
> to vsftpd.chroot_list. In vsftpd.conf set chroot_list_enable=YES.
>
> - You could set the home directory for all users in the 'ftp-users'
> group to /home/ftp and add them to the vsftpd.chroot_list file.
>
> - Adding regular users to vsftpd.chroot_list should prevent them from
> leaving their home directory, e.g., /home/username.
>
>
I've the user I'm trying to restrict in there so far. But they can still
see the main file structure... I don't get it.
> Are you allowing anonymous FTP?
>
nope
> - You should already have an underprivileged user like 'ftp'. In
> vsftpd.conf set nopriv_user=ftp.
>
I have a group called ftp-users that the user account I set up is a
member of... should I have used the existing ftp user and group instead
of creating the ftp-users group? There's no user called ftp-users
because I just used the groupadd command...
> Dean
>
Cheers Dean,
Rob
More information about the thelist
mailing list