Difference between revisions of "FTP Access to Ibays"
m (remove dungog repo and numbering) |
m (Changed layout of the note to adhere to this wiki style) |
||
| Line 1: | Line 1: | ||
| − | + | {{Note box|msg='''About group access to ftp sites''' | |
| − | As of 6/5/7 SME automatically adds any 'group' you create to /etc/ftpusers - thereby ''denying'' ftp access to that group. | + | As of 6/5/7 SME Server automatically adds any 'group' you create to /etc/ftpusers - thereby ''denying'' ftp access to that group. |
I do not know if this behavior is by design, or by accident. | I do not know if this behavior is by design, or by accident. | ||
| Line 6: | Line 6: | ||
In order to enable group-based ftp access to your system you will need to change the default behavior. | In order to enable group-based ftp access to your system you will need to change the default behavior. | ||
| − | * bugzilla: | + | * bugzilla: [[bugzilla:3043]] |
* Workaround (french, but easy to understand): http://forums.contribs.org/index.php?topic=37168.0 | * Workaround (french, but easy to understand): http://forums.contribs.org/index.php?topic=37168.0 | ||
| − | * Workaround (english): http://forums.contribs.org/index.php?topic=37307.0 | + | * Workaround (english): http://forums.contribs.org/index.php?topic=37307.0}} |
== FTP Access to Ibays == | == FTP Access to Ibays == | ||
Revision as of 13:56, 24 January 2009
FTP Access to Ibays
Applies to: SME 7.1.3 / smeserver-remoteuseraccess 1.2-12
References: Lots of helpful posts
Author: mmccarn
- Updated: 6/5/07
Objective
Allow chroot'ed access to a single ibay for a specific non-admin user.
Procedure
Install the smeserver-remoteuseraccess contrib
yum --enablerepo=smecontribs install smeserver-remoteuseraccess signal-event post-upgrade; signal-event reboot
Create a security group for the target user and ibay
Using server-manager:Collaboration:Groups:
- create a new 'Group' for your user and ibay (for example "ibaygroup")
Create the target user, adding him/her to the group created above
Using server-manager:Collaboration:Users
- create a new user (for example 'ibayuser')
During creation
- select the group created above under 'Group Membership'
After creation
- 'modify' your new user and set a password
Create the target ibay, granting read and write access to the group created above
Using server-manager:Collaboration:Information bays
- create a new ibay (for example 'ibay')
- Set the "Group" to the group you created above
- Set "User access via file sharing or user ftp" to "Write=group, Read=group"
- Set "Public access via web or anonymous ftp" to "Entire Internet (password required)"
Configure the SME ftp service for public access using password authentication
Using server-manager:Security:Remote Access
- set "FTP access" to "Allow public access (entire Internet)"
- set "FTP password access" to "Accept passwords from anywhere"
Configure chroot access using smeserver-remoteuseraccess
Using server-manager:Security:User Remote Access (new panel installed above)
- select the user created above
- select the desired chroot path in "Select Chroot Path". The pull-down menu will include all ibays plus links to both <ibayname>/files and <ibayname>/html.
If you only want users to be able to access an online ftp file store, select <ibayname>/files. If you want users to be able to update the html documents for <ibayname>, select <ibayname>/html. If <ibayname> has "Execution of dynamic content (CGI,PHP,SSI)" enabled, you probably want to select <ibayname> so that users can upload files to both <ibayname>/html and <ibayname>/cgi-bin.
Security Implications
- ftp passes usernames and passwords over the internet in plain text; therefore, enabling ftp access from the internet using passwords is a security risk.
- I am unaware of any security impact simply from installing smeserver-remoteuseraccess, but almost everything you can do with it does have a potential impact on your server's security.
- I don't know if groups are added to /etc/ftpusers by design or by accident. If by design, there is probably a security implication in allowing group access to your FTP sites other than the obvious one (the more people who can access your server insecurely, the worse your security).
