All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
SFTP users can see server folders and files - is it normal?
It's not a big deal, since I have restricted all SFTP use with IP block etc on my own hosting server, but, if I use SFTP on a normal FTP user (a site user) and in FileZilla then click out of the site users home folder, the user can see all other home folders - but do not have access to the folders (and then files).
But if I click to next level, I can see all folders on the server (like etc, var, bin, boot, dev, lib an so on) and on thees folders, I can also see files, and I can download the files, but I can't change, upload or delete the files.
Is this normal? Of course, if I had use the root user it had been normal. But I'm only using the normal username and password Virtualmin has created for a site.
I did also test this on a Cpanel server, and it's the same there.
If I'm using normal FTP, they don't see anything then their home folder. It's just apply to SFTP usage.
Here you can see a normal site user, can see files under /etc/httpd/conf
Comments
Yes you need to force chroot on the directory.
https://www.thegeekstuff.com/2012/03/chroot-sftp-setup/
Thank you, it was just that I was needing.
But I guess that this would also prevent shell access via ssh, right?
@myhken,
See below.
@angstrom,
You can make a jail with whatever binaries you'd like.
For example, in /etc/ssh/sshd.conf:
Then, using Ansible (or whatever is your preference),
This way we are effectively limiting user to rsync and sftp.
@asv isn't ansible expensive?
It's open source?
sshd_config:
It's "only" $5,000/year for "up to 100" nodes ( https://www.ansible.com/products/engine/pricing ).
You don't need that product for using ansible. You can use FOSS version.
Yes, I see that, but I guess that if you jail/chroot sftp for user X, then X no longer has shell access via ssh, right?
Hmm, no. See my comment above, it only chroot user for sftp, ssh is unaffected.
Okay. (I have yet to try this.)
I wonder, though, in what practical scenario I would want to chroot user X for sftp but would otherwise want to allow X to ssh freely.
I wonder, though, in what practical scenario I would want to chroot user X for sftp but would otherwise want to allow X to ssh freely.
You'd change the condition to your preference. Instead of
Match group xyz
useMatch user xyz
.I guess that what I'm asking is more of a conceptual question than a technical one: why decide/choose to chroot user X for sftp but at the same time not decide/choose to choot X for ssh?
Gotcha. IMO SFTP is very common and easy to chroot than ssh. Mostly, you would disable ssh access and only enable sftp to allow operations related to files.
Yeah, either that (no ssh, chroot for sftp) or (chroot for ssh, chroot for sftp), but I can't think of a practical scenario for (no-chroot for ssh, chroot for sftp).
That's exactly what I'm doing. Requires minimal amount of configuration and it's safe.