 |
 |
Big FTP Security Hole
|
|
|
|
|
Mac Enthusiast
Join Date: Jul 2000
Location: Dubai, UAE
Status:
Offline
|
|
If I crate a new (non-Admin user) "user1" and turn on FTP access, then user1 logs in with Transmit, they can see thier folder (Documents, Library etc.), but they can also go UPWARDS in the directory and see all the applications and root files.
How can I prevent this?
They should only be able to see everything in /Users/user1/ and nowhere above that.
Thanks,
Trygve
|
|
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Oct 2001
Location: Yokohama, Japan
Status:
Offline
|
|
No, the default permissions on / and /Applications are a+r, so they can view all those things by default. If you don't like that, try disabling read permissions for world.
|
|
|
| |
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Jul 2000
Location: Dubai, UAE
Status:
Offline
|
|
How can I just remove user1 from the "staff" group so that they only have permissions within /Users/user1
This is not for a local user, but FTP only.
But I also need my main admin user to have r/w permission in /user1 as well.
|
|
|
| |
|
|
|
|
|
|
|
Moderator Emeritus  Join Date: Mar 2001
Location: Austin, MN, USA
Status:
Offline
|
|
See here and pay special attention to number 3. I recommend googling more information on that file as it is not limited to OS X. There should be lots of info out there.
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: May 2001
Location: Manchester, UK
Status:
Offline
|
|
My experience is that trying to set this up within OS X is very difficult - settings which should work appear not to. Try the excellent Sharepoints program which is on Versiontracker.
|
|
|
| |
|
|
|
|
|
|
|
Moderator Emeritus Join Date: Mar 2001
Location: Austin, MN, USA
Status:
Offline
|
|
Originally posted by philm:
My experience is that trying to set this up within OS X is very difficult - settings which should work appear not to. Try the excellent Sharepoints program which is on Versiontracker.
I just tried it by adding the file /etc/ftpchroot with the contents "*" and restarted my ftp daemon. Sure enough, all users were limited to their home directory. What complications have you had?
|
|
|
| |
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Jul 2000
Location: Dubai, UAE
Status:
Offline
|
|
I just tried it by adding the file /etc/ftpchroot with the contents "*" and restarted my ftp daemon. Sure enough, all users were limited to their home directory. What complications have you had?
How exactly does one do this?
|
|
|
| |
|
|
|
|
|
|
|
Moderator Emeritus Join Date: Mar 2001
Location: Austin, MN, USA
Status:
Offline
|
|
Originally posted by Trygve:
How exactly does one do this?
In the terminal, you could do this by typing the following (note: you don't type the '%"): - % sudo -s
% echo \* > /etc/ftpchroot
% exit
And then restart the FTP server. All users, admins and non-admins alike, will be restricted to their home directories. If you are on OS X client and run SSH, you should be aware that non-admins can still SSH to your computer and even SFTP which gives them access to all the same files as regular FTP would. You might want to disable their shell access if they are an FTP only user.
[edit] "sudo echo" wasn't working properly for me so I assume it wouldn't for you either. I changed the one-liner into 3 lines.
(Last edited by Xeo; Dec 6, 2004 at 10:21 AM.
)
|
|
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2001
Location: Mahwah, NJ USA
Status:
Offline
|
|
Originally posted by Trygve:
If I crate a new (non-Admin user) "user1" and turn on FTP access, then user1 logs in with Transmit, they can see thier folder (Documents, Library etc.), but they can also go UPWARDS in the directory and see all the applications and root files.
How can I prevent this?
They should only be able to see everything in /Users/user1/ and nowhere above that.
Question...
If this user "user1" has a regular non-admin account can't they still ssh to your server and look around as they please? Or do you have ssh turned off?
Other question would be...
Why are you letting users access your server with a service that sends userids and passwords in the clear?
|
|
-DU-...etc...
|
| |
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Jul 2000
Location: Dubai, UAE
Status:
Offline
|
|
SSH is disabled. This is just a temporary solution to get a rather large file from a client in one part of the world to another fellow working on the same project in another part of the world. Both have broadband as do I.
It is not meant to be a running-all-the-time thing.
Also, would there be a way to force the ftproot to the Documents folder?
I tried setting the ftpchroot file to
user1 Documents
or ./Documents
but neither one works.
Thanks.
|
|
|
| |
|
|
|
|
|
|
|
Moderator Emeritus Join Date: Mar 2001
Location: Austin, MN, USA
Status:
Offline
|
|
Originally posted by Trygve:
SSH is disabled. This is just a temporary solution to get a rather large file from a client in one part of the world to another fellow working on the same project in another part of the world. Both have broadband as do I.
It is not meant to be a running-all-the-time thing.
Also, would there be a way to force the ftproot to the Documents folder?
I tried setting the ftpchroot file to
user1 Documents
or ./Documents
but neither one works.
Thanks.
This is done with a different file. You need an /etc/ftpd.conf file. - % sudo -s
% echo "chroot CHROOT %d/Documents" > /etc/ftpd.conf
% exit
And of course, keep ftpchroot the way you have it. Run man ftpd.conf for more information on that file.
Oh, and philm, I looked into it and apparently older versions of OS X have had problems with this file but Panther has been handling it properly since its release.
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
|
Top
