LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-25-2001, 04:50 AM   #1
DanTup
LQ Newbie
 
Registered: Jun 2001
Posts: 13

Rep: Reputation: 0
Webmin & FTP!?!?!


Hi!

I'm using Webmin and having some problems (and Webmin docs don't seem to be very, um, existent!).

Anyway, when I create a new user through webmin, I want them only to have access to /home/theirdir, but right now, then can just go up the tree to / and even /etc!

Does anyone know how to stop this?

Thanks very much.

Danny
ps. Just a shameless plug, http://MyBest50.com are offering FREE month's listings to everyone, so check it out (http://mybest50.com/freemonth.php)
 
Old 06-25-2001, 06:34 AM   #2
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 47
I think that you will need to make ftpd chroot when the user accesses it... I think the documentation you want to look at isn't webmins' but the man page for your ftp daemon. Unfortunately I can't be more specific... what FTP daemon are you using?

cheers.

Jamie...
 
Old 06-25-2001, 06:43 AM   #3
DanTup
LQ Newbie
 
Registered: Jun 2001
Posts: 13

Original Poster
Rep: Reputation: 0
wu-ftpd.

I just want to stop them getting anywhere outside of /home/username.

I don't know much about it, but I have access to Webmin and via SSH, so I'd appreciate any suggestions.

While I'm at it, I CHMOD'd all my web folder to 0777 cos it's the only way I could get two users to be able to write into that folder. Is there another way?! I set up a group "webusers" and CHGRP'd the folders to them, but it would still only let the CHOWNer write into there

TIA,

Danny
 
Old 06-25-2001, 07:01 AM   #4
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 47
Quote:
Originally posted by DanTup
wu-ftpd.

I just want to stop them getting anywhere outside of /home/username.
If your file system permissions are good then you shouldn't have too much of a problem with them being able to get out anywhere dangerous anyway...

Quote:
Originally posted by DanTup
I don't know much about it, but I have access to Webmin and via SSH, so I'd appreciate any suggestions.
I havn't played about with it myself, hence the suggestions being a little sketchy! Playing with ftpd being chroot would require you to ssh in and change how it gets started up I believe.

Quote:
Originally posted by DanTup
While I'm at it, I CHMOD'd all my web folder to 0777 cos it's the only way I could get two users to be able to write into that folder. Is there another way?! I set up a group "webusers" and CHGRP'd the folders to them, but it would still only let the CHOWNer write into there [/B]
You want to chown the group to webusers, then have the direcory as 770 and that should work. Remember that anyone with write permissions can erase the files in a directory even if they don't have permission to write to the sepcific file itself. You can avoid this by setting the 'sticky bit' on with chmod 1770. This will only allow users to erase files they own. You will probably also want to look into the default permissions (umask) that the files are created with. If user1 creates a file and you want user2 to be able to read it you want to make sure that its created with at least 640 permissions otherwise although user2 can see the file (due to dir permissions) they won't be able to read it... Sorry if I'm tell you stuff you already know here!

cheers.

Jamie...
 
Old 06-25-2001, 07:11 AM   #5
DanTup
LQ Newbie
 
Registered: Jun 2001
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by jharris

If your file system permissions are good then you shouldn't have too much of a problem with them being able to get out anywhere dangerous anyway...
Well creating a new user has read access to the whole server

Quote:
Originally posted by jharris

I havn't played about with it myself, hence the suggestions being a little sketchy! Playing with ftpd being chroot would require you to ssh in and change how it gets started up I believe.
I don't have a clue how to do that, know where I might find some good docs?

Quote:
Originally posted by jharris

You want to chown the group to webusers, then have the direcory as 770 and that should work. Remember that anyone with write permissions can erase the files in a directory even if they don't have permission to write to the sepcific file itself. You can avoid this by setting the 'sticky bit' on with chmod 1770. This will only allow users to erase files they own. You will probably also want to look into the default permissions (umask) that the files are created with. If user1 creates a file and you want user2 to be able to read it you want to make sure that its created with at least 640 permissions otherwise although user2 can see the file (due to dir permissions) they won't be able to read it... Sorry if I'm tell you stuff you already know here!
Haha! That's it, I didn't CHMOD to 0770!!!

However, if I create a folder inside there, the default permissions don't let Steve access it, any idea how to set the default to 0770?

btw, I know with CHMOD it user, group, world, and 7 is write, but what other numbers can go in there?

Also, if I chmod to 0770, can other users (not in the group) read the files?

Thanks m8,

Danny
 
Old 06-25-2001, 07:41 AM   #6
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 47
Quote:
Originally posted by DanTup
Well creating a new user has read access to the whole server
Uhm... sounds like you really want to lock down your permissions! As for the documentation sorry - dunno really! The usual RTFM chant for the man page might help...

Quote:
Originally posted by DanTup
Haha! That's it, I didn't CHMOD to 0770!!!

However, if I create a folder inside there, the default permissions don't let Steve access it, any idea how to set the default to 0770?
You creating these on the command line? If so then to default to 770 you would have 'umask 007' in one of you login files. To find out about the rest of the file mode (permissions) its best to read the man page. The sticky bit was originally used to keep common programs in memory in the days of old, the other ones are set UID and set GID bits (SUID/SGID) these make the process run asif it is being executed by the person who owns the file. For exampe a program owned by root yet executed by a 'normal' user is executed with the full blown permissions of root. There are others I think but dunno about them off the top of my head.

Quote:
Originally posted by DanTup
Also, if I chmod to 0770, can other users (not in the group) read the files?
If there not the owner or in the group then they will get hit by the 'world/other' permissions, hence won't be able to access it.

cheers.

Jamie...
 
Old 06-25-2001, 07:54 AM   #7
DanTup
LQ Newbie
 
Registered: Jun 2001
Posts: 13

Original Poster
Rep: Reputation: 0
I found a nice page:

http://support.rackspace.com/cgi-bin...&130=945710545

Which helps.

Thanks for your help too,

Danny
 
Old 06-25-2001, 07:58 AM   #8
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 47
Haveing just read that guide - make sure you only change the shell if your users don't need an interactive login on the server! Changing it to /bin/false will result in the user not being able to spawn a shell...

Jamie...
 
Old 06-25-2001, 08:06 AM   #9
DanTup
LQ Newbie
 
Registered: Jun 2001
Posts: 13

Original Poster
Rep: Reputation: 0
They're only having ftp access (whether they like it or not!), no shell, so is it ok?

Also, I'm doing this all through webmin, so for the group thing, I went into Webmin / Servers / FTP / Users & Classes and typed "ftponly" in the Users & Groups to treat as guests. I sthat right? (I wasn't too sure about:

Quote:
Add a group called ftponly to the /etc/group file with the command:

groupadd ftponly



Add the line

guestgroup ftponly

to your /etc/ftpaccess file. You should also add guest to the list of users in the log transfers directive in the same file.
Thanks for all your time!

Danny
 
Old 06-25-2001, 08:06 AM   #10
DanTup
LQ Newbie
 
Registered: Jun 2001
Posts: 13

Original Poster
Rep: Reputation: 0
eh?!

I don't have an "ftp" folder in /home



It says copy ftp and bin over into their folder

???
 
Old 06-25-2001, 08:43 AM   #11
DanTup
LQ Newbie
 
Registered: Jun 2001
Posts: 13

Original Poster
Rep: Reputation: 0
Well I skipped the copying bin and lib bit, and it seems to work fine, however I can't delete files out of that folder now!

I created a new folder and tried to delete it, and it just says denied!

I logged in as a normal user, and I now have access to that folder (usually I can't access another user's home dir), but I can't delete the folder!

Any ideas?!

Thanks,

Danny
 
Old 06-25-2001, 08:59 AM   #12
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 47
If the ftp daemon doesn't internally implement the delete function then it will be trying to call /bin/rm - which won't exist if you haven't recreated the bin directory in the user's home dir... you might wanna copy /bin/ls and /bin/rm and mkdir etc into a bin dir for each user.

good luck

Jamie...
 
Old 06-25-2001, 09:13 AM   #13
DanTup
LQ Newbie
 
Registered: Jun 2001
Posts: 13

Original Poster
Rep: Reputation: 0
So shall I just copy /bin and /lib into their folder?
Although it's giving Access Denied, not Command Not Found or anything...?

Doesn't copying mean there's two copies, and therefore if anything's ever updated in one, the other will be not-updated (yes, that's a word).

Also, I put the /./ on the end, and didn't seem to do anything (still gave them full access), it was only when I told it to treat the group ftponly as a guest that it gave that folder a "root" type-feeling. (And I tried setting permissions to allow Guest's to delete, thinking it might be that).
 
Old 06-25-2001, 09:18 AM   #14
DanTup
LQ Newbie
 
Registered: Jun 2001
Posts: 13

Original Poster
Rep: Reputation: 0
Well for some reason it's letting me delete (and I didn't change anything), however whenever I log out and back in, I don't see any files! It's empty (but if I try creating a new folder, it says /New Folder already exists).

I guess it's chrooted, but I don't know why! (I didn't type chroot anywhere! But that's what I wanted anyway)

Any ideas?!
 
Old 06-25-2001, 09:23 AM   #15
DanTup
LQ Newbie
 
Registered: Jun 2001
Posts: 13

Original Poster
Rep: Reputation: 0
ARGH!!!



Ok, I copied /bin to /home/test/bin and logged in as test, and it still just shows an empty listing! The folders must be there, co sit dies when I try to create a new folder called "New Folder" (as it already exists), but it's not showing up at all!!

 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
webmin and frox ftp karlos9988 Linux - Software 1 03-10-2005 10:49 AM
ProFTPD & Webmin Keyser Sose Slackware 3 12-02-2004 01:54 PM
Webmin and FTP Alan Powell Linux - Newbie 1 04-27-2004 12:43 PM
WU-FTP or other WebMin Modules scottpioso Red Hat 0 01-12-2004 08:52 AM
FTP protocol and Webmin/squid/firewall--help ! dasilva Linux - Networking 1 10-10-2003 07:52 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration