[BlueOnyx:05781] Re: http://bugs.proftpd.org/show_bug.cgi?id=3521

Chuck Tetlow chuck at tetlow.net
Thu Nov 11 14:46:01 -05 2010 

> Hi all, 
> 
> Just thought I would clarify some stuff about mod_sftp in order to set the record straight - hopefully it will dispel some myths / confusions about it on this list.... 
> 
> First of all - quick recap: 
> 
> SFTP = SSH File Transfer Protocol - not supported by BX - works *like* SSH. Single channel for commands and data. 
> FTPS = FTP over SSL/TLS - supported by BX - works *like* FTP. Two channels, one command, one data.

Well,

I hate to contradict - but SFTP is supported by BX right out of the box!

And I've just tested it again, to be sure.  I turned off FTP for a particular domain, then turned off the FTP server all together.  A "netstat -na" check of the server confirmed it not have ports 20 or 21 open.

Then I went to a Winblows box and fired up CoreFTP Lite.  Told it to connect to the server, and checkmarked the "SSH/SFTP" box.  Sure enough - it worked fine.

So as long as you've told the BX configuration for that virtual site to "Allow Shell Access" - SFTP works fine. 

But unfortunately, there's still the controls issue.  Using FTP, I just confirmed that a connection drops me into the "/web" directory for that virtual site.  And the jail won't allow me to go up past the root directory of that virtual website. 

But when you use SFTP - the top line of the CoreFTP indicates I'm in the /home/.sites/28/site1/.users/145/USERNAME/ directory.  And its right, that's where I am.  Also, it unfortunately allows me to go up-level all the way to the / root directory of the operating system, instead of only to the root of the virtual directory. 

This is the problem with using SFTP - a user can see not only his own virtual website, he can see the filesystem of the server, and he can see into other virtual websites.  And if that other website possibly doesn't have the correct permissions on their files - he can download, open, and possibly even modify another virtual websites files.

That's the ABSOLUTE NO-NO that can't be allowed.  So Shell access it not turned on for our users, and we don't risk potential unauthorized access.

Chuck

P.S. - For those command-line users who are wondering what we're talking about - when you hear SFTP, think SCP.  Its the same thing, a file transfer over SSH.

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20101111/75ed3347/attachment.html>

More information about the Blueonyx mailing list