Web Hosting Forum | Lunarpages
News: July 14, 2008 - New Contest! - Submit Your WordPress Theme Designs, Win BIG!
September 1, 2008 - Submit Your Web Site for the Sept 2008 Site of the Month!
 
Home Help Search Calendar Login Register
*
Welcome, Guest. Please login or register.
Did you miss your activation email? 		September 08, 2008, 12:27:03 AM


Login with username, password and session length


Web Hosting Forum | Lunarpages > Lunarpages Web Hosting - Advanced Assistance > Lunarpages - VPS Hosting > ftp access for my customers and security
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: ftp access for my customers and security  (Read 464 times)
geolev
Intergalactic Cowboy
*****
Offline Offline

Posts: 74


WWW
« on: October 19, 2007, 10:34:52 AM »
I just setup my second customer.  Clapping

I was testing their ftp access and noticed that it is possible to access the directory tree above their home directory!  Sad

For example, when they ftp in, they are at /var/www/vhosts/their.site.com/. From here they have access to their httpdocs directory as expected. Unbelievably, they are able to cd .. up one level to /var/www/vhosts. From there, they are free to move around to other customer sites. How can that be?  Confused

What do I need to do to clamp this down so that my customers can't see other customer's directories? This is very bad and shouldn't be the default behavior.

Thanks
George
Logged
George Levasseur

Alliance Computer Solutions
Pastiche Fashions
Advanced Hair Restorations
Advanced Comfort Systems
perestrelka
Administrator
Master Jedi
*****
Offline Offline

Posts: 1020
« Reply #1 on: October 19, 2007, 09:59:46 PM »
Hi George,

This is something that should be obliviously restricted in hosting control panels. To look into this further, it is required to do some testing on your VPS. Please open a ticket with the support and we will be happy to look into this more closer.
Logged
Kind Regards,
Vlad Artamonov
geolev
Intergalactic Cowboy
*****
Offline Offline

Posts: 74


WWW
« Reply #2 on: October 21, 2007, 06:24:30 PM »
Okay, support got me fixed up. For future reference, this is what they did. If anyone can explain to me the concept of "chrooted", I would really appreciate it.

They added "DefaultRoot ~" into /etc/proftpd.conf.

Now, I assume they had to restart the ftp server once they made the change to the configuration file but they didn't say that they did beyond telling me about the above change.

George
Logged
George Levasseur

Alliance Computer Solutions
Pastiche Fashions
Advanced Hair Restorations
Advanced Comfort Systems
perestrelka
Administrator
Master Jedi
*****
Offline Offline

Posts: 1020
« Reply #3 on: October 25, 2007, 12:02:27 AM »
Hello,

Processes executed in chroot environment is unable to access everything that is above the folder the chroot was issued to. Chroot is usually used to improve the security when, even if the chrooted process was exploited, the attacker won't be able to access files above the folder with the process.
Logged
Kind Regards,
Vlad Artamonov
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.3 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks

Valid XHTML 1.0! Valid CSS! Dilber MC Theme by HarzeM