1

I created a user on Centos 7 via webmin and pointed /var/www/html/ page as their home directory so when they log in they start from there.

However, I logged in myself and realized that they can navigate from there to the upper directories which I don't want. How can I prevent this from happening?

Thank you.

Cain Nuke
  • 113
  • 1
  • 1
  • 3
  • You want to chroot the users. To do this you'll need to modify the FTP server config. IIRC webmin uses proftpd - look at the DefaultRoot directive - http://www.proftpd.org/docs/directives/linked/config_ref_DefaultRoot.html – ivanivan May 25 '17 at 16:47

1 Answers1

2

You will need to find a feature specific to the ftp server you are using that could create a chroot-like environment. Some examples are:

  • proftpd: DefaultRoot. This option will have to point what is the chroot dir of a server.
  • pureftpd: -A option. Quoting the documentation

This feature is called "chroot". You can enable this by running pure-ftpd with the "-A" switch to do this with ALL your users (but root) .

  • vsftpd: chroot_local_user=YES will chroot to default user home. There is already a good answer here.
  • its weird but I didnt install any ftp server so I dont even know how come I am able to FTP access. – Cain Nuke May 25 '17 at 16:55
  • As pointed out by @ivanivan, the default ftp server on webmin should be `proftpd`. It is just a matter of finding the configuration file and put a line like `DefaultRoot=/var/www/html/` on it :) –  May 25 '17 at 16:59
  • But that one is stopped right now and Im still able to access. Is that normal? – Cain Nuke May 25 '17 at 17:09
  • `netstat -tapn | grep 21`, and see what is the process that is `LISTENING` on this port(21/tcp - ftp) –  May 25 '17 at 17:11
  • I see nothing on port 21, the user is on port 22. – Cain Nuke May 25 '17 at 17:22
  • 22 is `ssh` so, `sftp` or `scp` are the protocols used to exchange files. Are you sure that is really an ftp server, and there is no custom port configured? –  May 25 '17 at 17:24
  • I dont know because I didnt install any FTP server myself. I only installed webmin and proftpd was already there but its stopped right now and Im still able to FTP access by using filezilla and setting it to sftp. – Cain Nuke May 25 '17 at 17:35
  • SFTP is and extension of FTP throuhg SSH. That's why you can access, because it is not related do proftpd. If you have a `ssh` daemon running on your server, you will mostly be able to use sftp... "chrooting" sftp is a hell of a quest, and should not be as trivial as it is with a ftp server... –  May 25 '17 at 17:47
  • So I need to enable chroot in SSH instead? – Cain Nuke May 25 '17 at 17:50
  • Yup. If you are using SFTP you started asking the wrong question, since they use totally different servers... and it is not a trivial question(you should follow a how-to) - https://wiki.archlinux.org/index.php/SFTP_chroot –  May 25 '17 at 17:57
  • Thank you for your help. Although it was actually easier than that. – Cain Nuke May 27 '17 at 00:35