<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I've been wondering about this for a while and wondering what the best way would be to prevent such security issues while still maintaining SFTP.<div><br></div><div>In my research, I found this link: <a href="http://blog.hackedexistence.com/locking-down-sftp-user-without-ssh-on-centos-5">http://blog.hackedexistence.com/locking-down-sftp-user-without-ssh-on-centos-5</a></div><div><br></div><div>Has anyone tried this kind of technique before? Are there any loopholes you can think of that the author didn't reference?</div><div><br></div><div>Having said all of this, I hadn't heard of FTPS before, so I'll look into that as another option as well.</div><div><br></div><div>Thanks for the info, guys!<br><div><div>
<div style="font-size: 12px; "><br class="Apple-interchange-newline">--</div><div style="font-size: 12px; ">Matt James</div><div style="font-size: 12px; ">Web Programmer</div><div style="font-size: 12px; ">RainStorm Consulting</div><div style="font-size: 12px; ">(207) 866-3908</div><div style="font-size: 12px; "><br></div><br class="Apple-interchange-newline">
</div>
<br><div><div>On May 24, 2012, at 1:00 PM, Chuck Tetlow wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta content="text/html; charset=iso-8859-1" http-equiv="Content-Type">
<meta content="OPENWEBMAIL" name="GENERATOR">
<div bgcolor="#ffffff">
Yes there is a difference. And SFTP can be a BAD thing! Because while the FTP server limits where a site user or admin can go - SFTP doesn't.
<br>
<br>If you FTP in as a site admin, you can only go up to the <span style="font-weight: bold;">site's</span> root / directory - which translates to /home/sites/www.domain1.tld/. In the FTP session - a user or admin can't even see there is anything higher, let alone get into it.
<br>
<br>But if you SFTP in as that same site admin, you can go all the way up to the <span style="font-weight: bold;">system's</span> root directory. They can browser the entire server's directory tree, and read anything that has readable permissions. Whether they can write files elsewhere in the system or modify them depends on the directory permissions. But that's plausible, especially in the /tmp directory. (Can you imagine what could be done by someone placing executable code in the /tmp directory and then executing it by calling it from a PHP script in their website??)
<br>
<br>Also with SFTP, a site admin can also down from /home/sites/ into other site's /home/site/www.domain2.tld directories and read anything in there that has world read permissions. Potentially things that the owners of domain2 didn't want others to see.
<br>
<br>So its a security issue. That's why I won't allow SFTP by users or site admins on my server. I trust those guys, but only so far. Just have them use FTP or FTPS.
<br>
<br>
<br>
<br>Chuck
<br><font size="2">
<br>
<br><b>---------- Original Message
-----------</b>
<br>
From: Wayne Michael <<a href="mailto:wrmichael@hotmail.com">wrmichael@hotmail.com</a>>
<br>
To: <<a href="mailto:blueonyx@mail.blueonyx.it">blueonyx@mail.blueonyx.it</a>>
<br>
Sent: Thu, 24 May 2012 12:32:52 -0400
<br>
Subject: [BlueOnyx:10660] Re: FTPS on Blueonyx?
<br>
<br>>
There is a difference with FTPS and SFTP isn't there?
<br>>
<br>> one uses
SSH and other does not.
<br>>
<br>> I use SFTP and that requires SSH to be
turned on (Shell access).
<br><b>------- End of Original Message
-------</b>
<br>
</font>
</div>
_______________________________________________<br>Blueonyx mailing list<br><a href="mailto:Blueonyx@mail.blueonyx.it">Blueonyx@mail.blueonyx.it</a><br>http://mail.blueonyx.it/mailman/listinfo/blueonyx<br></blockquote></div><br></div></div></body></html>