User can browse through the whole filesystem

Hello

I got new server and after Webmin fresh install (and setup users and virtual servers), i noticed that user can view whole filesystem via FTP. So if you have /any-name/ user, this user can go to UP level, check all other users /but don’t have access to go into this user accounts/, also can go 1 level upper and check all directories.

I check, that all users on this server have the same permissions as the users on other server, where they cann’t view whole filesystem.

What is interesting that i setup the same Centos 6.7 template, install Webmin (as on other servers), but for whatever reason, user on this server has rights to see the shadow file

Any advice will be appreciated !

Howdy,

There’s some info on that issue here:

https://www.virtualmin.com/documentation/security/faq#How_can_I_prevent_FTP_Users_from_Browsing_the_Entire_Filesystem

However, non-root users should never be able to read the shadow file – if that’s the case, it sounds like the shadow file may have the wrong permissions.

What is the output of this commandL

ls -l /etc/shadow

Hi (привет) Andrey

Thank you for quick response

Here is output

[root@server1 ~]# ls -l /etc/shadow
---------- 1 root root 1189 Oct 14 00:59 /etc/shadow

thank you

Hmm, there don’t appear to be any permissions set on that file… so FTP users shouldn’t be able to see that.

When logging in via FTP, are you saying you can see that the shadow file is there, or that you can read it’s contents as an FTP user?

-Eric

Hello

Ftp user can view and read this file - /etc/passwd and view (but not read) /etc/shadow

When i said that everything was same as on another servers I was wrong. During Webmin installation i got 1 more question, when usually i there isn’t

the question is

= Please enter the name of your primary network interface =

I put “venet0”

I don’t remember this question during other installations.