Hosting Clients Can Access ALL Directories VIA SFTP

[giganet]

psa 8.2
FC6

I have noticed that clients are able to traverse the entire server when logged into their accounts using SFTP...

How can this issue be corrected?

Thank you

Regards

 

[breun]

Give them a chroot shell (if you give them shell access at all).

 

[giganet]

Thanks for the reply...

I disabled all shell access but when logged into server with any clients credentials you can still traverse the entire server dir structure.

 

[breun]

How can you login using a client's credentials when shell access is disabled?

 

[giganet]

I'm sorry

When I say I am logging in using a clients credentials I am using their SFTP access credentials using WS_FTP.

Thank you

 

[breun]

That's strange, that's not the case on our servers. You didn't change the ProFTPd configuration?

 

[giganet]

I haven't modified any files dealing with FTP on the server.
If there a file on the server I should check.

I'm really new to any of this so please excuse my questions.

 

[breun]

Are you really sure you can browse the entire filesystem? What does your /etc/proftpd.conf look like?

 

[giganet]

Thank you for the reply...

I have verified- yes a client is able to login to his/her account VIA SFTP and use the UP directory to move from:
'/var/www/vhosts/<client-account.com>'
up to
'/'
including ALL subdir's bewteen the above!

My 'proftpd.conf' is below:
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName "ProFTPD"
#ServerType standalone
ServerType inetd
DefaultServer on
<Global>
DefaultRoot ~ psacln
AllowOverwrite on
</Global>
DefaultTransferMode binary
UseFtpUsers on

# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.

#Include directive should point to place where FTP Virtual Hosts configurations
#preserved

ScoreboardFile /var/run/proftpd/scoreboard

# Primary log file mest be outside of system logrotate province

TransferLog /usr/local/psa/var/log/xferlog

#Change default group for new files and directories in vhosts dir to psacln

<Directory /var/www/vhosts>
GroupOwner psacln
</Directory>

# Enable PAM authentication
AuthPAM on
AuthPAMConfig proftpd

IdentLookups off
UseReverseDNS off

AuthGroupFile /etc/group

Include /etc/proftpd.include



Does anything in this file look off to you??

Thank you for your help

Regards

 

[breun]

You're talking about SFTP? That's not handled by ProFTPd. If shell access is disabled a user shouldn't be able to login using SFTP at all. If a user has a non-chrooted shell that user can go up to the server's /. Of course normal UNIX permissions are still in effect, so a client cannot write to other client's dirs, etc. But I'd never give untrusted clients a non-chrooted shell.

 

[giganet]

Thank you for the reply...

Hmm, OK- I have double-checked my settings in PLESK.
I have set clients for the time beings to have chrooted access.
When I set them to Forbidden FTP can't login for some reason.

But, when a client logs in now they are not able to leave their directory which is a big relief.

Would proftpd.conf come into play if a regular FTP session can't start?
Which line would control FTP sessions and ther being able to open?

Thank you for your help

Regards

 

[breun]

Hmm, OK- I have double-checked my settings in PLESK.
I have set clients for the time beings to have chrooted access.
When I set them to Forbidden FTP can't login for some reason.

Are you sure you are not confusing SFTP with FTP? They are actually pretty different. If you set shell to forbidden then SFTP is not possible, but normal FTP access will still be possible.

Would proftpd.conf come into play if a regular FTP session can't start?

proftpd.conf *only* comes into play when a regular FTP session is started, as proftpd handles normal FTP access. SFTP is a subsystem of the SSH daemon.

 

[giganet]

[breun] Are you sure you are not confusing SFTP with FTP?

[Pat]I am quite positive I am not confusing the two.
After forbidding shell access I reconfigured WS_FTP to access:

Server Type: FTP
Port: 21

Where-as to access the server VIA SFTP you use the following settings:

Server Type: SFTP/SSH
Port: 54000


Thank you for pointing out the differeence between the two protocols also.

I will keep trying to log onto the server VIA FTP with chroot and all other shell access forbidden and see how that works for me.

Thank you

I'll be back