Difference between revisions of "FTP Access to Ibays"
m (remove dungog repo and numbering) |
|||
Line 20: | Line 20: | ||
=== Procedure === | === Procedure === | ||
− | |||
− | |||
− | |||
− | ==== | + | ==== Install the smeserver-remoteuseraccess contrib ==== |
yum --enablerepo=smecontribs install smeserver-remoteuseraccess | yum --enablerepo=smecontribs install smeserver-remoteuseraccess | ||
signal-event post-upgrade; signal-event reboot | signal-event post-upgrade; signal-event reboot | ||
− | ==== | + | ==== Create a security group for the target user and ibay ==== |
Using server-manager:Collaboration:Groups: | Using server-manager:Collaboration:Groups: | ||
* create a new 'Group' for your user and ibay (for example "ibaygroup") | * create a new 'Group' for your user and ibay (for example "ibaygroup") | ||
− | ==== | + | ==== Create the target user, adding him/her to the group created above ==== |
Using server-manager:Collaboration:Users | Using server-manager:Collaboration:Users | ||
* create a new user (for example 'ibayuser') | * create a new user (for example 'ibayuser') | ||
During creation | During creation | ||
− | * select the group created | + | * select the group created above under 'Group Membership' |
After creation | After creation | ||
* 'modify' your new user and set a password | * 'modify' your new user and set a password | ||
− | ==== | + | ==== Create the target ibay, granting read and write access to the group created above ==== |
Using server-manager:Collaboration:Information bays | Using server-manager:Collaboration:Information bays | ||
* create a new ibay (for example 'ibay') | * create a new ibay (for example 'ibay') | ||
− | * Set the "Group" to the group you created | + | * Set the "Group" to the group you created above |
* Set "User access via file sharing or user ftp" to "Write=group, Read=group" | * Set "User access via file sharing or user ftp" to "Write=group, Read=group" | ||
* Set "Public access via web or anonymous ftp" to "Entire Internet (password required)" | * Set "Public access via web or anonymous ftp" to "Entire Internet (password required)" | ||
− | ==== | + | ==== Configure the SME ftp service for public access using password authentication ==== |
Using server-manager:Security:Remote Access | Using server-manager:Security:Remote Access | ||
* set "FTP access" to "Allow public access (entire Internet)" | * set "FTP access" to "Allow public access (entire Internet)" | ||
* set "FTP password access" to "Accept passwords from anywhere" | * set "FTP password access" to "Accept passwords from anywhere" | ||
− | ==== | + | ==== Configure chroot access using smeserver-remoteuseraccess ==== |
− | Using server-manager:Security:User Remote Access (new panel installed | + | Using server-manager:Security:User Remote Access (new panel installed above) |
− | * select the user created | + | * select the user created above |
* select the desired chroot path in "Select Chroot Path". The pull-down menu will include all ibays plus links to both <ibayname>/files and <ibayname>/html. | * select the desired chroot path in "Select Chroot Path". The pull-down menu will include all ibays plus links to both <ibayname>/files and <ibayname>/html. | ||
Revision as of 10:52, 23 January 2009
IMPORTANT NOTE about group access to ftp sites
As of 6/5/7 SME automatically adds any 'group' you create to /etc/ftpusers - thereby denying ftp access to that group.
I do not know if this behavior is by design, or by accident.
In order to enable group-based ftp access to your system you will need to change the default behavior.
- bugzilla: http://bugs.contribs.org/show_bug.cgi?id=3043
- Workaround (french, but easy to understand): http://forums.contribs.org/index.php?topic=37168.0
- Workaround (english): http://forums.contribs.org/index.php?topic=37307.0
FTP Access to Ibays
Applies to: SME 7.1.3 / smeserver-remoteuseraccess 1.2-12
References: Lots of helpful posts
Author: mmccarn
- Updated: 6/5/07
Objective
Allow chroot'ed access to a single ibay for a specific non-admin user.
Procedure
Install the smeserver-remoteuseraccess contrib
yum --enablerepo=smecontribs install smeserver-remoteuseraccess signal-event post-upgrade; signal-event reboot
Create a security group for the target user and ibay
Using server-manager:Collaboration:Groups:
- create a new 'Group' for your user and ibay (for example "ibaygroup")
Create the target user, adding him/her to the group created above
Using server-manager:Collaboration:Users
- create a new user (for example 'ibayuser')
During creation
- select the group created above under 'Group Membership'
After creation
- 'modify' your new user and set a password
Create the target ibay, granting read and write access to the group created above
Using server-manager:Collaboration:Information bays
- create a new ibay (for example 'ibay')
- Set the "Group" to the group you created above
- Set "User access via file sharing or user ftp" to "Write=group, Read=group"
- Set "Public access via web or anonymous ftp" to "Entire Internet (password required)"
Configure the SME ftp service for public access using password authentication
Using server-manager:Security:Remote Access
- set "FTP access" to "Allow public access (entire Internet)"
- set "FTP password access" to "Accept passwords from anywhere"
Configure chroot access using smeserver-remoteuseraccess
Using server-manager:Security:User Remote Access (new panel installed above)
- select the user created above
- select the desired chroot path in "Select Chroot Path". The pull-down menu will include all ibays plus links to both <ibayname>/files and <ibayname>/html.
If you only want users to be able to access an online ftp file store, select <ibayname>/files. If you want users to be able to update the html documents for <ibayname>, select <ibayname>/html. If <ibayname> has "Execution of dynamic content (CGI,PHP,SSI)" enabled, you probably want to select <ibayname> so that users can upload files to both <ibayname>/html and <ibayname>/cgi-bin.
Security Implications
- ftp passes usernames and passwords over the internet in plain text; therefore, enabling ftp access from the internet using passwords is a security risk.
- I am unaware of any security impact simply from installing smeserver-remoteuseraccess, but almost everything you can do with it does have a potential impact on your server's security.
- I don't know if groups are added to /etc/ftpusers by design or by accident. If by design, there is probably a security implication in allowing group access to your FTP sites other than the obvious one (the more people who can access your server insecurely, the worse your security).