FTP user rights

[Pashy]

Hi Friends,
I have installed a FTP Server on my Linux machine (Fedora 11).
My manager wants the ftp users to be restricted to their own home dir using sftp.
But the said condition is met when the user logs in using ftp over port 21 and when
the user logs in using sftp i.e. protocol 22, he/she has readable (downloadable) access
to the upper dir's as well. In short the user is able to traverse through file system using
sftp. I have chrooted the users as well.

Could you please advice me the reason & the possible solution for this.

Thanks in advance.
Pashy

[Pashy]

Hi Friends,
I have installed a FTP Server on my Linux machine (Fedora 11).
My manager wants the ftp users to be restricted to their own home dir using sftp.
But the said condition is met when the user logs in using ftp over port 21 and when
the user logs in using sftp i.e. protocol 22, he/she has readable (downloadable) access
to the upper dir's as well. In short the user is able to traverse through file system using
sftp. I have chrooted the users as well.

Could you please advice me the reason & the possible solution for this.

Thanks in advance.
Pashy

Can anyone plz reply on this ASAP....plzz

[scathefire]

so what does your SSH config look like? does it have something like this in it?

Code:

Match group sftponly
         ChrootDirectory /home/%u
         X11Forwarding no
         AllowTcpForwarding no
         ForceCommand internal-sftp

OpenSSH SFTP chroot() with ChrootDirectory

[Pashy]

Thanks for the kind reply.
But I am worried that I am unable to execute the the command
"# adduser user sftponly"
output: Usage: useradd [options] LOGIN followed by Options.
Actually I am very new to Linux & installing FTP for the 1st time, so could you please be more specific about the commands & every steps involved.
Also in the link provided by you while executing the command:
#chown root.root /home/user
do I have to mention "user" as mentioned above or the "ftpusername"?
Apologies for requesting the detailed explanation.

Thans in advance.

[scathefire]

technically you could use whatever group you wanted to. in that example, they made a group called sftponly. here is what i would do:

Code:

mkdir /home/my_username_here
groupadd sftponly
useradd -d /home/my_username_here -g sftponly -s /sbin/nologin my_username_here
chown my_username_here:root /home/my_username_here
passwd my_username_here
(input some password)
vim /etc/ssh/sshd_config
(add those above-mentioned lines if they are not present)
'hit escape then type (colon included) :wq'
service sshd restart

that should be an ample place to start i think

[Pashy]

Thank you so much for your kind reply..!
I have freshly Installed Linux & the FTP server as well.
I have followed your instructions & for the FTP installation I have executed the following commands:
#yum install vsftpd
#vi /etc/vsftpd/vsftpd.conf
Edited the vsftpd.conf file and uncomment the following lines.
anonymous_enable=N
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

# cd /etc/
# touch vsftpd.chroot_list
Created a file for listing user.
#vi vsftpd.chroot_list
added user ID "ftp_user" whom I want give access.

After doing all this I have landed in a new problem. When I try to access the FTP Server via Filezill or WinScp I am facing the following error.
Status: Connected to 192.168.200.46
Error : Connection closed by server with exitcode 1
Error : Could not connect to server

Could you kindly advice me with the possible solution...

Thanks in advance,
Pashy

[scathefire]

is iptables running?

Code:

service iptables status

if so, try stopping the service and connecting

Code:

service iptables stop

otherwise you may want to check the logs for more answers, trying looking in /var/log/vsftpd.log, otherwise it will probably be logged into /var/log/messages.

[Pashy]

Thank you..!
I had already stop the firewall & I am unable to inerpret anything from the log file.
After making few changes I am able to login to the ftp server from the command prompt of the server itself.
code:
ftp localhost
output:
Trying ::1....
ftp: connect to address ::1connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPD 2.1.2)
Name (localhost:vertex):

I am still not able to login to the server via Winscp or Fillezilla..

Please help..!

[scathefire]

if you do

Code:

netstat -pantu

do you see the service bound to a wildcard (*) or an IP address (192.168.blah)? if its only bound to 127.0.0.1 then you won't be able to reach it as its only listening on loopback.

can you reach any other services remotely? can you hit secure shell? can you ping, etc.

[Pashy]

Hi, below is the output of the command "netstat -pantu"

[root@localhost ~]# netstat -pantu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1412/rpcbind
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 9610/vsftpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 7881/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1497/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2518/sendmail: acce
tcp 0 0 0.0.0.0:45701 0.0.0.0:* LISTEN 1425/rpc.statd
tcp 0 0 192.168.200.46:33489 66.249.89.104:443 ESTABLISHED 7489/firefox
tcp 0 28 192.168.200.46:44173 64.233.183.132:443 LAST_ACK -
tcp 0 0 192.168.200.46:36417 64.233.183.19:443 ESTABLISHED 7489/firefox
tcp 0 0 192.168.200.46:36414 64.233.183.19:443 ESTABLISHED 7489/firefox
tcp 1 1 192.168.200.46:48975 72.14.203.17:80 LAST_ACK -
tcp 0 0 192.168.200.46:41843 64.233.183.167:443 ESTABLISHED 7489/firefox
tcp 0 0 192.168.200.46:45682 64.233.183.189:443 ESTABLISHED 7489/firefox
tcp 1 1 192.168.200.46:33869 64.156.26.74:80 LAST_ACK -
tcp 1 1 192.168.200.46:44929 66.249.89.99:80 LAST_ACK -
tcp 0 28 192.168.200.46:35163 74.125.153.97:443 LAST_ACK -
tcp 0 0 192.168.200.46:58362 64.233.183.19:80 ESTABLISHED 7489/firefox
tcp 1 1 192.168.200.46:44930 66.249.89.99:80 LAST_ACK -

Ya, certainly ping is possible & the ssh service is also running. Unfortuantely, I haven't installed any other services yet.