Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Resolved FTP Server problem - Everyone has access to /

user1690

user1690

macrumors regular
Original poster
Feb 13, 2011
146
6
Searching....
Hey Guys!

I'm having a bit of an issue, i need to setup a FTP server.. The setup itself is done but everytime we try to connect we get put to / rather than /Volumes/Fileserver (Which is where i need everyone who connects to goto).

I have tried creating different accounts (Both admin and standard) to see if it made a difference but it doesnt. Everyone who connects with the logins i gave had full access to the root of the boot drive rather than the fileserver drive even though i had the fileserver drive set to be the only shared volume. I even tried moving the user folders (In the proper way) to the fileserver drive, to no avail.

Any assistance would be appreciated. :D
 
Last edited:
128keaton

128keaton

macrumors 68020
Jan 13, 2013
2,029
418
user1690 said:
Hey Guys!

I'm having a bit of an issue, i need to setup a FTP server.. The setup itself is done but everytime we try to connect we get put to / rather than /Volumes/Fileserver (Which is where i need everyone who connects to goto).

I have tried creating different accounts (Both admin and standard) to see if it made a difference but it doesnt. Everyone who connects with the logins i gave had full access to the root of the boot drive rather than the fileserver drive even though i had the fileserver drive set to be the only shared volume. I even tried moving the user folders (In the proper way) to the fileserver drive, to no avail.

Any assistance would be appreciated. :D
Click to expand...

It sounds like you need to outline the drive permissions. In Finder you can right click on the folders you want to disallow. But, If you wanted to make things easier, get (if PPC) Leopard Server, its nice since it has individual user control.
 
user1690

user1690

macrumors regular
Original poster
Feb 13, 2011
146
6
Searching....
128keaton said:
It sounds like you need to outline the drive permissions. In Finder you can right click on the folders you want to disallow. But, If you wanted to make things easier, get (if PPC) Leopard Server, its nice since it has individual user control.
Click to expand...

Disallowing all users access to the drive but me does nothing :( Everyone still gets connected to /
 
128keaton

128keaton

macrumors 68020
Jan 13, 2013
2,029
418
user1690 said:
Disallowing all users access to the drive but me does nothing :( Everyone still gets connected to /
Click to expand...

Odd. Well, I've never had much luck with FTP, so you might want to wait for someone who has more experience reply.
 
A

AmestrisXServe

macrumors 6502
Feb 6, 2014
263
4
o my knowledge, even with pureftpd, users will be able to read / , including /Volumes, and anything in a path beneath their local root. I use Apple Server Admin, and while I can set a user to view their local directory on login, without a lot of chroot work, users can walk the filesystem.

I can't manage to build the latest jailkit release (via Macports), due to problems building python26, and python27; nor do I have any user documentation for jailkit on OSX. I do have all the Debian documentation that I could desire, but some basic differences between Linux and OSX make a lot of that useless.

Apple really should have included a jail function in the kernel, ala FreeBSD. To have true, safe, SSH and FTP systems, you need to run a VM on the top of OSX, and use that VM for your hosting environment; else, keep all datum on volumes other than /, and use disk images for each account. This doesn't prevent filesystem walking entirely, but it does allow you to have AFP/SMB shares, that all users can't browse indiscriminately.

The key thing to remember, is that all access above a user directory is available, and some paths must be readable, such as /Volumes, for *Nix filesystems to work at all. That is what makes jailing a user so bloody difficult.

You may also want to install scponly, which is a shell for scp access, if you have users that you want to permit to transfer datum, but not see the filesystem. If they do not need a full shell, scponly may work for you, and is far more secure than ftp.
 
user1690

user1690

macrumors regular
Original poster
Feb 13, 2011
146
6
Searching....
AmestrisXServe said:
o my knowledge, even with pureftpd, users will be able to read / , including /Volumes, and anything in a path beneath their local root. I use Apple Server Admin, and while I can set a user to view their local directory on login, without a lot of chroot work, users can walk the filesystem.

I can't manage to build the latest jailkit release (via Macports), due to problems building python26, and python27; nor do I have any user documentation for jailkit on OSX. I do have all the Debian documentation that I could desire, but some basic differences between Linux and OSX make a lot of that useless.

Apple really should have included a jail function in the kernel, ala FreeBSD. To have true, safe, SSH and FTP systems, you need to run a VM on the top of OSX, and use that VM for your hosting environment; else, keep all datum on volumes other than /, and use disk images for each account. This doesn't prevent filesystem walking entirely, but it does allow you to have AFP/SMB shares, that all users can't browse indiscriminately.

The key thing to remember, is that all access above a user directory is available, and some paths must be readable, such as /Volumes, for *Nix filesystems to work at all. That is what makes jailing a user so bloody difficult.

You may also want to install scponly, which is a shell for scp access, if you have users that you want to permit to transfer datum, but not see the filesystem. If they do not need a full shell, scponly may work for you, and is far more secure than ftp.
Click to expand...

Well, pureftpd has definitely resolved my problem. I just tried it, attempting to access the root directory is now impossible for any connected user, even me. All that happens is, is the program/client we're using ads a .../ onto the directory structure but the directory actually doesnt change. So, i'm happy with that. :D
 
A

AmestrisXServe

macrumors 6502
Feb 6, 2014
263
4
Interesting: I wasn't aware that pureftpd created a chroot jail. That doesn't solve SSH related jail problems, but it does make the toolkit more useful than the standard ftpd.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom