[BlueOnyx:25303] Re: FTP access with Public Key

Michael Stauber mstauber at blueonyx.it
Wed Jan 19 19:27:13 -05 2022 

Hi Keith,

> We just issued a public key to a vendor to log in to the machine and we
> noticed they have access to more then just their folder
> 
> The have access too all the users
> 
> /user/and list of all the users on the system
> 
> Then if you click up in the ftp program you get /
> 
> The user is question is setup
> 
> No admin access
> 
> 
> How can I keep these users in their own folder when using the public key
> and not just a password?

When Chrooted Jails are activated for a Vsite, then *two* jails will be
created. One for Users with "siteAdmin" privileges and one for users
without "siteAdmin" privileges.

How that looks directory tree wise is shown on the page that explains
the Jails:

https://www.blueonyx.it/news/245/79/5210R-Development-Jailkit

If a regular user logs in via SSH (or FTP), he end up in his own home
directory. That's because he's restricted to the Jail that resides under
/home/.sites/siteX/home/

If a user with "siteAdmin" privileges logs in via SSH or FTP, he is in
the other Jail that is situated a bit above. That Jail has it's root
path at /home/.sites/siteX/ and therefore a "siteAdmin" can access
/wwwroot as well as /home (where the other users reside).

This is an acceptable compromise, as a "siteAdmin" can add/delete/modify
all users of a Vsite anyway via the GUI or can change their passwords.

A regular user (w/o "siteAdmin" privileges) on the other hand can see
the home directories of other users and (due to the group accessible
bits) can read certain files and folders within other users home
directories. However: The "mbox" or "MailDir" are not group readable as
those are unreadable for anyone but the owner.

I agree, though: The group readability is a bit of an issue, but I
haven't yet found a better way to make this happen. The only workable
way would be to isolate *everyone* w/o "siteAdmin" privileges into their
own Jail. At this time that would mean an extra baggage of around
50-60MB of Jail binaries per User which would eat up space.

Any suggestions or ideas?

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list