[BlueOnyx:25304] Re: FTP access with Public Key

K Richardson kmrichardson at rogers.com
Wed Jan 19 19:49:42 -05 2022 

Thanks for getting back to me Michael

I'm at a lost as well, I just think that a user that can get to the root of
the users folder is dangerous 
I not sure how to get around that at all
If they are siteadmin I would think they would be locked to their folder
only

It would only be admin of the vsite that would have access to all those
folders

Is there away to remove the /users/ from the config so they can't get back
to that root directory? Once they logged in they are pushed to the users
folder and that's where they get locked in to?

I'm sure I'm no help at all




-----Original Message-----
From: Blueonyx <blueonyx-bounces at mail.blueonyx.it> On Behalf Of Michael
Stauber
Sent: January 19, 2022 7:27 PM
To: blueonyx at mail.blueonyx.it
Subject: [BlueOnyx:25303] Re: FTP access with Public Key

Hi Keith,

> We just issued a public key to a vendor to log in to the machine and 
> we noticed they have access to more then just their folder
> 
> The have access too all the users
> 
> /user/and list of all the users on the system
> 
> Then if you click up in the ftp program you get /
> 
> The user is question is setup
> 
> No admin access
> 
> 
> How can I keep these users in their own folder when using the public 
> key and not just a password?

When Chrooted Jails are activated for a Vsite, then *two* jails will be
created. One for Users with "siteAdmin" privileges and one for users without
"siteAdmin" privileges.

How that looks directory tree wise is shown on the page that explains the
Jails:

https://www.blueonyx.it/news/245/79/5210R-Development-Jailkit

If a regular user logs in via SSH (or FTP), he end up in his own home
directory. That's because he's restricted to the Jail that resides under
/home/.sites/siteX/home/

If a user with "siteAdmin" privileges logs in via SSH or FTP, he is in the
other Jail that is situated a bit above. That Jail has it's root path at
/home/.sites/siteX/ and therefore a "siteAdmin" can access /wwwroot as well
as /home (where the other users reside).

This is an acceptable compromise, as a "siteAdmin" can add/delete/modify all
users of a Vsite anyway via the GUI or can change their passwords.

A regular user (w/o "siteAdmin" privileges) on the other hand can see the
home directories of other users and (due to the group accessible
bits) can read certain files and folders within other users home
directories. However: The "mbox" or "MailDir" are not group readable as
those are unreadable for anyone but the owner.

I agree, though: The group readability is a bit of an issue, but I haven't
yet found a better way to make this happen. The only workable way would be
to isolate *everyone* w/o "siteAdmin" privileges into their own Jail. At
this time that would mean an extra baggage of around 50-60MB of Jail
binaries per User which would eat up space.

Any suggestions or ideas?

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list