Find the answer to your Linux question:
Results 1 to 4 of 4
So I'm trying to setup a secure FTP server. I'm not really sure what the standard setup/procedure is for this. It seems to me that the Linux file permissions are ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2005
    Location
    Canada
    Posts
    10

    sftp server?


    So I'm trying to setup a secure FTP server. I'm not really sure what the standard setup/procedure is for this. It seems to me that the Linux file permissions are quite difficult to setup in a way that prevents logged on users from browsing around and reading things that maybe they shouldn't. I'd like to have a clean and simple environment for the users, where they just see what they need to, and nothing else. I tried to chroot them to their homes, but then found that symlinks can't get you outside either. I have areas of my filesystem that I want them to have access to, that would be unsuitable to, and far to large for, an ftp user's home directory. So all I can think of is to have a regular login to the home, with the symlinks that I want, and to setup strange and annoying file permissions all over my filesystem. Is there some great way to do this that I don't know about?

    I'm also curious about the encryption. As I understand it, using SFTP through SSH encrypts everything, including the data transferred. This is what I want. However, I was reading some documentation for PureFTPd, and it mentioned that it only encrypted the logins and commands, not the data. I'm wondering if this is a universal difference between SSH and the regular FTP daemons with SSL/TLS support.

    Finally, I'd just like to know what the most common procedures are for this, and what servers are recommended.

    Thank you in advance,
    jef

  2. #2
    Linux User
    Join Date
    Feb 2005
    Posts
    290
    afaik, if you're able to ssh into the server, so does sftp. To protect yourself from traditional ftp'ing, try ssh tunneling, pretty much tutorial out there, just goog for ssh tunnel ftp tutorial should do.

    good luck

  3. #3
    Just Joined!
    Join Date
    Apr 2005
    Location
    Canada
    Posts
    10
    I should have clarified, I do have SFTP working through SSH. I'm just not sure if this is what I want to use.

    I had it setup so the SSH/SFTP user was chrooted (or jailed) to their home directory upon logging in. This would fix the problem of having the FTP user being able to peruse my entire filesystem. The problem is, that then they have no way to get to the folders that I want them to have access to. These folders are much too large, and not appropriate for, the FTP user's home directory.

    I'd like to know how people setup their ftp servers, if they don't chroot users to their homes. It just doesn't seem right for ftp users to have the ability to peruse your entire filesystem. Chroot can't be the only way to prevent this. Even IIS has a simple mechanism for virtual hosts that link to a specific folder and don't allow users outside of it. The only way that I can think of, to mimic this in linux, would be to have a user for each one of these folders, and to make those folders their home directories. That's just silly. :P

  4. #4
    Just Joined!
    Join Date
    Nov 2007
    Posts
    7

    Use mount with the bind option

    To have people chroot in there own privat space, and still have access to other shared space you can use the mount feature with the bind option.

    This is what I used:

    /ftp/support (this is the jail-root for the support desk)
    /ftp/support/public
    /ftp/support/client1 (this is the jail-root for the client)
    /ftp/support/client1/public (this wil be mounted with the bind option to point to /ftp/support/public)

    The entry in my fstab looks like:
    /ftp/support/public /ftp/support/client1/public none ro,bind

    Unfortunately the ro (read-only) feature is not correctly implemented, so the user will have the file system rights.
    We solved this by adding the user client1 to the group support, and we gave the group support read-only rights to the public directory.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •