Re: [cobalt-users] RAQ2 - ProFTPD configuration

["Steve Werby" <steve-lists@xxxxxxxxxxxx>]

"Jason Hill" <jason@xxxxxxxxxxxxxxxx> wrote:
> > In /etc/passwd change their home location from
> > /home/sites/site61/users/fred
> >
> > to
> >
> > /home/sites/site61/web/
> >
> > and all will be fine for FTP, only do this for your admin accounts and
> > make backup copies of your /etc/passwd file.  This is the easiest way to
> > fix that problem.
>
> That does work, but it also adds a security problem that I'd rather
> not have. After changing a user's/site admin's home location to
> /home/sites/site61/web
> They then have access to my entire site...

Also, when a user is deleted the user's home directory is deleted too so the
entire site will be deleted.  Not a big deal if you have backups, but if you
or the site admin isn't aware of this someone might wonder why their site is
gone.

> they can go up a few
> directories to /home/sites/ and see/download everything.

That's because in proftpd.conf each VirtualHost (notice VirtualHosts are by
IP, not by hostname like in Apache so all sites on the same IP cannont be
controlled separately for FTP) has the following:

DefaultRoot             ~/../.. site-adm

The tilde (~) means the user's home directory and the above line means that
the site administrator can navigate two directories higher than the home
directory.  Normally the home directory is /home/sites/siteXY/users/username
so it's not a problem, but you changed it to /home/sites/siteXY/web which
allows the user to navigate up to /home/sites/.  If you insist on changing
the user's home directory you can change the line in proftpd.conf to:

DefaultRoot ~/.. site-adm

and then the user will only be able to navigate up to /home/sites/siteXY/.

> There HAS to be a solution to this problem.

Problem solved.  Enjoy.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/