User avatar
redhawk
Posts: 3465
Joined: Sun Mar 04, 2012 2:13 pm
Location: ::1

How to prevent ".." access with ftp server??

Fri Nov 30, 2012 11:32 am

I currently have an ftp server running on my PI so a user account may login and exchange files.
While I have no issues with the server in general it does allow ".." which could pose as a security risk.

How do I lock down the ftp server so that users cannot navigate outside their home directory or any other part of the operating system??

Richard S.

User avatar
RaTTuS
Posts: 10415
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK

Re: How to prevent ".." access with ftp server??

Fri Nov 30, 2012 11:34 am

don't use ftp ....

give the user an account and allow him access via that account [use scp or winscp sftp etc]
or use samba
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

User avatar
redhawk
Posts: 3465
Joined: Sun Mar 04, 2012 2:13 pm
Location: ::1

Re: How to prevent ".." access with ftp server??

Fri Nov 30, 2012 11:46 am

I had considered using sftp but it relies on the user account having a valid shell like bash.
To prevent logins I have crippled the default shell which seems to prevent sftp from working properly.

In any case I needed a file server with resume mode only an ftp server provides this kind of support.
I'm sure preventing ".." should be possible my Windows' based ftp server had this ability (but no resume support).

Richard S.

User avatar
joan
Posts: 14200
Joined: Thu Jul 05, 2012 5:09 pm
Location: UK

Re: How to prevent ".." access with ftp server??

Fri Nov 30, 2012 11:48 am

Depends on the ftp server you are using.

This may be a fault of the Raspberry Pi configuration. All the other distributions I have used have defaulted security safe.

bgirardot
Posts: 517
Joined: Wed Oct 10, 2012 6:20 am
Location: Switzerland

Re: How to prevent ".." access with ftp server??

Fri Nov 30, 2012 7:48 pm

redhawk wrote:I had considered using sftp but it relies on the user account having a valid shell like bash.
To prevent logins I have crippled the default shell which seems to prevent sftp from working properly.

In any case I needed a file server with resume mode only an ftp server provides this kind of support.
I'm sure preventing ".." should be possible my Windows' based ftp server had this ability (but no resume support).

Richard S.
You can restrict them to sftp only by setting their shell to /usr/lib/openssh/sftp-server. The directions for doing this are at the bottom of this page:

http://www.howtoforge.com/restricting-u ... an-squeeze

You do not need to do chroot to restrict them to sftp only, but you could if you wanted too.

EDIT: pure-ftpd would allow you to restrict users to their "home" directory. Home is in quotes because the users do not need system accounts to have pure-ftpd accounts. Not sure if that fulfills the no '..' requirement for you or not, but it is easy to do with pure-ftpd.

User avatar
Dweeber
Posts: 606
Joined: Fri Aug 17, 2012 3:35 am
Location: Mesa, AZ
Contact: Website

Re: How to prevent ".." access with ftp server??

Fri Nov 30, 2012 8:14 pm

proftpd.... haven't tried it on a Raspberry Pi yet but use it on a lot of different Unixen...

Simple default root setup can lock a user to their own directories.... supports both FTP and SFTP with the same engine... split the configs, uses different ports, permissions, groups etc... fairly easy to setup and support. Can be completely separate from existing SSH setup while providing SFTP access.
Dweeber A.K.A. Kevin...
My RPI Info Pages including Current Setup - http://rpi.tnet.com

Return to “Raspbian”