how can i restrict a user into his home directory.
at the moment sftp connections can browse trough the hole server, but i wont that the users can see which other domains are on the server.
i don´t use proftpd. the connections are made via sftp (ssh port 22).
You can check that out for the full explanation, but essentially it’s hard to do, and Joe and Jamie feel that it doesn’t actually offer the security bonuses people expect
-Eric
they can’t
at least on my server a user can not go into the directory from another user.
also they can not get into most directories outside /home
in the ones they can, they cannot download/view/edit sensitive files.
also they can not write to any files they do not have permission to.
the only ‘risk’ is a malicious user can see the usernames in /home and won’t have to guess that part if he wants to attack. If you think you have malicious users or untrusted users, do not give them sh access.
But i think it is very dangerous that all users can see conf files everywhere on the server.
The UNIX security model has been in use for more than 30 years, by millions of people. We think that’s a pretty good indicator that it is not “dangerous”.
on my server a domain owner can go into etc and view proftpd.conf. there is no posibility to change the file but he can read the mysql password for den mysql user table.
under webmin - servers - proftpd server - Files and Directories
Go to: Limit users to directories and set to: Home directory
not sure if that will do the trick for you but that is how it is set at my server.
Also securing your server is not a matter of clicking a button. I suggest to google and read a lot.
a domain owner who connect via sftp dont use the the proftp server, it´s a connectionn via ssh i think. so the settings of the proftpd.conf file doesnt change anything, or not?
So, the obvious solution is to make files that contain sensitive information not readable by regular users. proftpd.conf does not need to be world-readable, and it isn’t in the proftpd packages that we provide (but we only provide packages for a couple of platforms…mostly it comes from the OS repos, but I wouldn’t expect them to be world-readable either).
If the data is truly “sensitive”, then it’s worth it
Restricting ProFTP or SSH to a home directory doesn’t solve the problem – a user could just as easily go into Virtualmin, and browse the server using the File Manager.
If you disable that, Joomla includes a file manager. Or they could just write their own code that searches for files and directories that they have permissions to view. Using a chroot in ProFTP or SSH can’t prevent that, it only stops the case where the user is using FTP or SSH.
So the actual issue is not FTP, or SSH, it’s that file permissions are set in a way that you deem to be insecure The only way to solve that is to change the permissions.
-Eric
then you can use a script or use sed
per haps something like this through the cli
cd /tmp ; find -type f -name *.conf -maxdepth 4 | awk {‘print "chmod -R 444 "$1’} |sh
put a file /tmp/whatever.conf in your /tmp with 777, then use that line to test.
if happy change cd /tmp in the cmd to whatever dir you like, so: cd /etc