Questions about restricting SFTP users to specific directories but giving one admin user access to all
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I've read a great number of posts about restricting SFTP users but I still have questions about some specifics (I just started using Linux on Friday). I built a server on AWS using Amazon Linux 4.9.75-1.56.amzn2.x86_64 (compatible with centOS) and went through guides here, and here to build the vsftpd server, and create users and attempt to restrict them to the directory associated with their group(s) respectively. The intended use of the FTP server is for records to be stored on by various counties (but they shouldn't know about each other), and to that end I created this path: /ftpfiles/county1files and: /ftpfiles/county2files. I created the following users:
- admin1user
- county1user
- county2user
and the following user groups:
- admin1
- county1
- county2
and created the following folders:
- /ftpfiles/
- /ftpfiles/county1files
- /ftpfiles/county2files
In time I will add more counties but for now this is a good start. The following setup is what I want:
The admin1 user should have access to all directories contained within /ftpfiles/ (though they should not have access the root backbone behind /ftpfiles/), and all other users should only have access to their respective directory, i.e. the user county1 should only have access to the directory for county1files, and so on. County users should not ever be able to see any of the files or directories contained within ftpfiles.
What I've ended up with following the aforementioned guide (above in paragraph 1) however is three groups, one group for admin1, another for county1, and yet a third for county2. When I get on another computer and ftp in, I am able to easily back into the root directory and see every file name on the server (note I can't open any items, but I can look at the file names). This theoretically shouldn't be happening, right? I know I'm doing something wrong and not understanding how the file structures work and am hoping someone can explain it to me in detail with the knowledge that I am a complete newb. Linux should be able to easily handle what I'm trying to do - I just need some help using my specific example because I'm having trouble relating other examples to mine. Thank you in advance for your help, this forum is awesome! For reference below is a copy of the un-commented sections of my config file:
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp internal-sftp
Match Group admin1
ChrootDirectory /ftpfiles/
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
Match Group county1
ChrootDirectory /ftpfiles/county1files
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
Match Group county2
ChrootDirectory /ftpfiles/county2files
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
vsftpd amazon-linux
add a comment |Â
up vote
0
down vote
favorite
I've read a great number of posts about restricting SFTP users but I still have questions about some specifics (I just started using Linux on Friday). I built a server on AWS using Amazon Linux 4.9.75-1.56.amzn2.x86_64 (compatible with centOS) and went through guides here, and here to build the vsftpd server, and create users and attempt to restrict them to the directory associated with their group(s) respectively. The intended use of the FTP server is for records to be stored on by various counties (but they shouldn't know about each other), and to that end I created this path: /ftpfiles/county1files and: /ftpfiles/county2files. I created the following users:
- admin1user
- county1user
- county2user
and the following user groups:
- admin1
- county1
- county2
and created the following folders:
- /ftpfiles/
- /ftpfiles/county1files
- /ftpfiles/county2files
In time I will add more counties but for now this is a good start. The following setup is what I want:
The admin1 user should have access to all directories contained within /ftpfiles/ (though they should not have access the root backbone behind /ftpfiles/), and all other users should only have access to their respective directory, i.e. the user county1 should only have access to the directory for county1files, and so on. County users should not ever be able to see any of the files or directories contained within ftpfiles.
What I've ended up with following the aforementioned guide (above in paragraph 1) however is three groups, one group for admin1, another for county1, and yet a third for county2. When I get on another computer and ftp in, I am able to easily back into the root directory and see every file name on the server (note I can't open any items, but I can look at the file names). This theoretically shouldn't be happening, right? I know I'm doing something wrong and not understanding how the file structures work and am hoping someone can explain it to me in detail with the knowledge that I am a complete newb. Linux should be able to easily handle what I'm trying to do - I just need some help using my specific example because I'm having trouble relating other examples to mine. Thank you in advance for your help, this forum is awesome! For reference below is a copy of the un-commented sections of my config file:
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp internal-sftp
Match Group admin1
ChrootDirectory /ftpfiles/
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
Match Group county1
ChrootDirectory /ftpfiles/county1files
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
Match Group county2
ChrootDirectory /ftpfiles/county2files
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
vsftpd amazon-linux
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I've read a great number of posts about restricting SFTP users but I still have questions about some specifics (I just started using Linux on Friday). I built a server on AWS using Amazon Linux 4.9.75-1.56.amzn2.x86_64 (compatible with centOS) and went through guides here, and here to build the vsftpd server, and create users and attempt to restrict them to the directory associated with their group(s) respectively. The intended use of the FTP server is for records to be stored on by various counties (but they shouldn't know about each other), and to that end I created this path: /ftpfiles/county1files and: /ftpfiles/county2files. I created the following users:
- admin1user
- county1user
- county2user
and the following user groups:
- admin1
- county1
- county2
and created the following folders:
- /ftpfiles/
- /ftpfiles/county1files
- /ftpfiles/county2files
In time I will add more counties but for now this is a good start. The following setup is what I want:
The admin1 user should have access to all directories contained within /ftpfiles/ (though they should not have access the root backbone behind /ftpfiles/), and all other users should only have access to their respective directory, i.e. the user county1 should only have access to the directory for county1files, and so on. County users should not ever be able to see any of the files or directories contained within ftpfiles.
What I've ended up with following the aforementioned guide (above in paragraph 1) however is three groups, one group for admin1, another for county1, and yet a third for county2. When I get on another computer and ftp in, I am able to easily back into the root directory and see every file name on the server (note I can't open any items, but I can look at the file names). This theoretically shouldn't be happening, right? I know I'm doing something wrong and not understanding how the file structures work and am hoping someone can explain it to me in detail with the knowledge that I am a complete newb. Linux should be able to easily handle what I'm trying to do - I just need some help using my specific example because I'm having trouble relating other examples to mine. Thank you in advance for your help, this forum is awesome! For reference below is a copy of the un-commented sections of my config file:
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp internal-sftp
Match Group admin1
ChrootDirectory /ftpfiles/
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
Match Group county1
ChrootDirectory /ftpfiles/county1files
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
Match Group county2
ChrootDirectory /ftpfiles/county2files
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
vsftpd amazon-linux
I've read a great number of posts about restricting SFTP users but I still have questions about some specifics (I just started using Linux on Friday). I built a server on AWS using Amazon Linux 4.9.75-1.56.amzn2.x86_64 (compatible with centOS) and went through guides here, and here to build the vsftpd server, and create users and attempt to restrict them to the directory associated with their group(s) respectively. The intended use of the FTP server is for records to be stored on by various counties (but they shouldn't know about each other), and to that end I created this path: /ftpfiles/county1files and: /ftpfiles/county2files. I created the following users:
- admin1user
- county1user
- county2user
and the following user groups:
- admin1
- county1
- county2
and created the following folders:
- /ftpfiles/
- /ftpfiles/county1files
- /ftpfiles/county2files
In time I will add more counties but for now this is a good start. The following setup is what I want:
The admin1 user should have access to all directories contained within /ftpfiles/ (though they should not have access the root backbone behind /ftpfiles/), and all other users should only have access to their respective directory, i.e. the user county1 should only have access to the directory for county1files, and so on. County users should not ever be able to see any of the files or directories contained within ftpfiles.
What I've ended up with following the aforementioned guide (above in paragraph 1) however is three groups, one group for admin1, another for county1, and yet a third for county2. When I get on another computer and ftp in, I am able to easily back into the root directory and see every file name on the server (note I can't open any items, but I can look at the file names). This theoretically shouldn't be happening, right? I know I'm doing something wrong and not understanding how the file structures work and am hoping someone can explain it to me in detail with the knowledge that I am a complete newb. Linux should be able to easily handle what I'm trying to do - I just need some help using my specific example because I'm having trouble relating other examples to mine. Thank you in advance for your help, this forum is awesome! For reference below is a copy of the un-commented sections of my config file:
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp internal-sftp
Match Group admin1
ChrootDirectory /ftpfiles/
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
Match Group county1
ChrootDirectory /ftpfiles/county1files
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
Match Group county2
ChrootDirectory /ftpfiles/county2files
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
vsftpd amazon-linux
edited Jan 15 at 18:01
asked Jan 14 at 21:38
Damon McCall
12
12
add a comment |Â
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f417119%2fquestions-about-restricting-sftp-users-to-specific-directories-but-giving-one-ad%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password