Set permission to NO browse out of /home directory
Forum: Other Help Topics
Topic: Set permission to NO browse out of /home directory
started by: icpeanuts
Posted by icpeanuts on Jan. 22 2006,06:56
I am new to linux and DSL.I have a quick question. I want to set it so user can not browse out of the /home directory when the user access the server via FTP on the BetaFTP server. Can this be done?
Thanks for your help.
Posted by clacker on Jan. 22 2006,13:13
icpeanuts, I tried to do this but was unable to. I believe you could create what is called a chroot jail, but I'm still try to work out exactly what you need to place inside the jail to make the usr name/password recognition for betaftpd to work.
Posted by icpeanuts on Jan. 22 2006,19:35
I downloaded Pure-ftpd instead and following their instruction to add /./ to the passwd file of the user and it worksl. I tried various method with betaftp. No outcome.
Posted by clacker on Jan. 22 2006,20:00
Well, I looked around and found a bash script that can set up a nice chroot jail for dsl. It's called < make_chroot_jail.sh > and it worked really well, from what I could tell. It adds users and can update the needed libraries depending on what you need in the shell. With a little bit of tinkering in the passwd file in the jail it creates you can have everyone who ftps in looking at the same directory.I wish I understood the script better. I'm still trying to figure out what I did wrong when I did it by hand, but if the script does it right, that's all I need.
EDIT: you can still see out of the home directory, but only as far as the extent of the chroot jail.
Posted by icpeanuts on Jan. 24 2006,05:19
Anyone have any simpler ways to do this? This should not be a big problem. Thanks in advance. 
Posted by AwPhuch on Jan. 24 2006,23:56
in frugal mode you could chmod -R 700 the /home directory, this will eliminate anyone from being able to view anyone elses directoriesBrian
AwPhuch
Posted by mikshaw on Jan. 25 2006,02:16
It does not, however, restrict the user to a single directory.In the DOCUMENTATION of betaftp, there is a bit about the rights file, which sounds to me what you need.
| Quote |
| The `.rights' file is laid out as follows: privilegied.file rw-r----- 0 1 (filename) (rights) (uid) (gid) For any file not in the list, the special case `.default' is checked. If there is no such file, _no access is permitted_, and the file will _not show up in directory listings_. This is in fact handy in most cases, so be careful with adding a `.default' entry. (Note that `.rights' is never influenced by a `.default' entry, for security.) For directory permissions, the file `dir/.rights' is checked for the entry `.'. Yes, I know, treating them like normal directories would be great, but remember that there is a root directory as well... The rights are standard r, w and x for now, no setuid, setgid or sticky bit unless we really need it. (We could perhaps need the sticky bit later.) Be careful with the format of the `.rights' file, as everything you set in the rights column will be copied directly to listings. Restrict yourself to those 9 characters, no more, no less, and only use r, w, and x. |
Posted by icpeanuts on Jan. 25 2006,05:39
I read the infomation. I still do not understand how you can use it. Can you explain how/where I can edit/put the file to limit user browsing out of home dir?Thanks.
Posted by mikshaw on Jan. 25 2006,14:49
I'd have to test it out in order to say for sure, but perhaps an entry ".." might control users' access to higher directories. I'm pretty sure the .rights file goes into the directory to which it applies.
Posted by icpeanuts on Jan. 29 2006,10:28
If you find out how this can be done, please post an update with detail instruction on how to get this to work. Thanks.
Posted by ReTeP on Dec. 09 2006,21:28
I've tried the jail-script but it shows errors on the MKNOD-command (command not found). Is it a package that's missing or somethin else, please help !