Hide FTP folders

Is there a way to set up the permissions so that a customer who is connected via FTP is only able to see their /home/domain/ directory?

I know this sounds like a simple answer, but ideally, if i host multiple websites for customers, i don’t want a customer to be able to go up to the /home directory and see the folder names for all the other domains on the server.

See the Jailkit feature of Virtualmin

Also see:

ProFTPd does not rely on Jailkit for its chroot feature, and it does not respect the Jailkit configuration because it does not run a shell. Jailkit provides a chrooted shell, not chrooted FTP.

ProFTPd has its own chroot feature, which can simply be turned on with one line in the ProFTPd config file. It is, IMHO, nicer than using a jail shell, since it is much less complex. So…it’s the one (and only) area where FTP is superior to ssh (if you care about chrooting users, which I don’t consider that much of a security feature). This is set with the DefaultRoot directive in the ProFTPd configuration.

But, here’s the confusing thing: This is set by default during Virtualmin’s installation. So…why doesn’t your system have that option set? (Here’s the configuration plugin that does it.)

Did you install in some unusual way (like not using the install script)? Or were there errors during installation? Or have you reinstalled/reconfigured ProFTPd since installation?

Yes, that’s correct Joe. FTP should restrict a user to his own directory, out of the box. No special configuration on the part of @pologoalie8908 is required for this to happen.

I got confused when I read that a user is able to get into the directories of other users. That happens when a protocol other than FTP is used; SCP for example.

Hey @pologoalie8908 did you really mean FTP or are you using a software like WinSCP which is functionally similar to FTP but uses a different protocol due to which a user is able to get into the directories of other users?

Under no circumstance (FTP or SSH) is a user able to get into other users directories. Permissions insure that.

A user that isn’t jailed can leave their home, but they can’t see other users files or sensitive files. It is not a security concern, merely a cosmetic one.

Sorry playing catch upon these replies. So correct, i am not talking about accessing the directories under /home/. I’m wanting to prevent them from seeing other directories other than thier own if they access the /home directory.

Customer A with siteA.com tan FTP into the server, they land at /home/siteA.com/ and then if they go up /home/ they can see the directory names of: siteB.com, siteC.com, etc.

Its a sensitivity thing for me as an admin. If i host a site for example called ihatejoe.com, thats fine for me as the admin. I dont care. But if i take on a client names Joe, then they would see that i host a site for someone else and the site is ihatejoe.com…Joe could be upset with me and i could lose Joe as a customer.

I understand what you want, and it is the default behavior of ProFTPd in a Virtualmin system. The fact that you’re not seeing that behavior raises questions, but also a simple solution to this specific problem: Hide FTP folders - #3 by Joe

Thanks Joe I am just re-reading this now. Standard install. I just did another fresh one(im a gluten for punishments and like to reinstall as a trial and error style of learning…if i can learn to recover fully from different failures :wink: )

I used the normal script install. But i just tested and connected as sitea.com user and i can go to the home directory and see site.com folder name

So, is that directive just not there in the ProFTPd config? I can’t really guess what’s happening…I can see the config that is supposed to happen. There should be a file /etc/proftpd/conf.d/virtualmin.conf, which should contain the DocumentRoot ~ directive as I mentioned above. Does that file not exist on your installs?

If it does exist, then something is preventing it from loading. Either the IncludeDir is missing from the base proftpd config or it’s failing to load for some other reason and we’d need to see the errors from the log that explain why.

This sounds like possible bug. If you tell me where to look ill get you anything you need. I dont have customers yet so i can play around with this.

The file is there, but doesn’t contain DocumentRoot ~ (ignore the S at the top line, i was trying to screnshot and it was added)

Er, sorry, DefaultRoot ~ is what we’re looking for, and it is there.

So, why isn’t it loaded? We need to see any errors when you restart proftp service. They may be in the journal or may be in /var/log/proftpd, depends on distro and version.

Ah yea sorry im on Ubuntu Desktop 22.04 with Virtualmin Pro 7.3-1 Pro

image

I see no relevant errors there.

Is the /etc/proftpd/conf.d directory not included at all? (In…/etc/proftpd.conf, I think, you’d find an IncludeDir or something similar.)

So that shot is from ‘/var/log/proftpd/proftpd.log’

Is the /etc/proftpd/conf.d directory not included at all? (In…/etc/proftpd.conf, I think, you’d find an IncludeDir or something similar.)

No such file…there is /etc/proftpd/conf.d/virtualmin.conf

Edit: Standby, there is one…

/etc/proftpd/proftpd.conf exists

No IncludeDir line in that file


DefaultRoot doesnt appear to be set

You can copy/paste the code here, and just wrap it in triple backticks (in Markdown, three backticks on a new line ``` makes a code block).

That’s easier for us to read, and you can post the whole config file in one go rather than posting little screenshots.

I’m really surprised there is no include line. I looked it up and what we’re looking for is actually:

Include /etc/proftpd/conf.d

Does that not exist in your proftpd.conf?

Thanks :slight_smile:

proftpd.conf (5.7 KB)

I do see

Include /etc/proftpd/conf.d