I have set up a new server, version 5, and a couple of domains. I have created a user under a domain for my web developer. It has access to the two default directories, and not much else. I set it to Email and FTP. When I test the ftp login, I can DL any file on my server as if logged in as root. Does anyone have any suggestions as this will not do.
This server is not customized at all, and was installed a few days ago, then upgraded to Pro as I take down the old box. All I did was create the user, then test login.
After FTP login from CMD in windows, I did a ‘cd /’ and found myself at root, then went in to /etc and grabbed a few .conf files!!!
I have just logged in as the domain user(pretty sure I did the first time), made a new user exactly as above, and still have root access with it. Can anyone suggest anything else?
Also, the user does not have shell access, but has root access via FTP.
I am not terribly interested in wiping this server, it is physical, and remote, not a virtual server, so hopefully I can solve this.
If you did it via Virtualmin and use “cd /”, you can access the main folders but you can’t read/write to them. You need to “cage” the FTP user on it’s own account. I don’t know how you setup your server.
First thing to do is to give them a home directory to operate.
After that, goto Limits and Validation -> FTP Directory Restriction… force the FTP user to it’s own home directory and before saving, click “active” checkbox
I set up my server with the Virtualmin script, from the DL page. I have not changed anything FTP ish on the base install. I have not changed much at all, actually, it is pretty clean. I am sure I can fix it by changing the ftp server settings myself, but wanted to fix the Virtualmin portion so it goes away in the future, and figured it could be a bug of some sort, which is a pretty big hole if so.
I have not done anything weird here, it is Ubuntu 14.04, clean Virtualmin install, etc. I logged in as a domain OWNER, and made a user that has root abilities as FTP. This should not happen ever, if I understand things. I cannot see how the privileges would propagate, unless they are coming from the Virtualmin process or whatever. I can fix it myself by modifying the FTP server, but I am hoping for a Virtualmin related fix here. I have not looked hard into it so far for this reason. I had hoped someone with a V5 install might try this and see if it is reproducible.
I changed things as advised under Limits and Validations - I used “other” and entered /home/DOMAIN/public_html/ and that works great, but I would have assumed that this would have been more restrictive by default.
My default user can access and read files from most everywhere, but not other user directories. No write access to /etc though.
Again, isn’t this a giant flaw leaking all the files on the drive to every ftp user by default, I would not have noticed without the directory change to / and then trying to DL files as I was surprised to be at the drive root. There are likely many others in the same situation.
I believe that all FTP servers behaves that way on low and medium security settings. I hardened mine before adding new virtual servers. This issue never happen on me since I have done steps to make it a little difficult to be attacked. I even added codes to block IP address on consecutive wrong password.
Another way to do this for every user on the server, whether they are a virtual server user or not, is via ProFTPD itself.
Goto Webmin > Servers > ProFPTD Server > Files and Directories. Then under ‘Limit users to directories’ change the ‘Directory’ checkbox to ‘Home directory’. Click Save and restart ProFTPD.
The problem is the ‘DefaultRoot’ directive in the config file. In older versions of ProFTPD users used to be jailed to their home directory, now the default is as so. # To cause every FTP user to be “jailed” (chrooted) into their home
Not meaning to be rude(really), but that is something that the VMin developers might want to set as a default from the start, that is kind of the point of using Virtualmin after all, an automated reasonably secure setup from the start. Also, the expectation that users created within the framework of Virtualmin won’t be huge security risks.
A default should be set and “jailed” connection be the default but, as I believe, securing your Webmin/Virtualmin is your responsibility unless of course, that you get it on paid license then you can demand for them to set a default.
I do pay for this but find that irrelevant. I would think that defaulting to not making users that have root access to files would be a thing, for ANY product.
That’s like saying we sold you a new car, and didn’t even mention that there is a default key code to type in on your door that opens EVERY car we sell, oh, but you can turn it off if you discover it.
Terrible approach, but I have said my bit on it. Fix it or not.