FTP Access to Ibays
FTP Access to Ibays
Applies to: SME 7.1.3 / smeserver-remoteuseraccess 1.2-12
References: Lots of helpful posts
Author: mmccarn
- Updated: 6/5/07
Objective
Allow chroot'ed access to a single ibay for a specific non-admin user.
Procedure
Install the smeserver-remoteuseraccess contrib
yum --enablerepo=smecontribs install smeserver-remoteuseraccess signal-event post-upgrade; signal-event reboot
Create a security group for the target user and ibay
Using server-manager:Collaboration:Groups:
- create a new 'Group' for your user and ibay (for example "ibaygroup")
Create the target user, adding him/her to the group created above
Using server-manager:Collaboration:Users
- create a new user (for example 'ibayuser')
During creation
- select the group created above under 'Group Membership'
After creation
- 'modify' your new user and set a password
Create the target ibay, granting read and write access to the group created above
Using server-manager:Collaboration:Information bays
- create a new ibay (for example 'ibay')
- Set the "Group" to the group you created above
- Set "User access via file sharing or user ftp" to "Write=group, Read=group"
- Set "Public access via web or anonymous ftp" to "Entire Internet (password required)"
Configure the SME ftp service for public access using password authentication
Using server-manager:Security:Remote Access
- set "FTP access" to "Allow public access (entire Internet)"
- set "FTP password access" to "Accept passwords from anywhere"
Configure chroot access using smeserver-remoteuseraccess
Using server-manager:Security:User Remote Access (new panel installed above)
- select the user created above
- select the desired chroot path in "Select Chroot Path". The pull-down menu will include all ibays plus links to both <ibayname>/files and <ibayname>/html.
If you only want users to be able to access an online ftp file store, select <ibayname>/files. If you want users to be able to update the html documents for <ibayname>, select <ibayname>/html. If <ibayname> has "Execution of dynamic content (CGI,PHP,SSI)" enabled, you probably want to select <ibayname> so that users can upload files to both <ibayname>/html and <ibayname>/cgi-bin.
Security Implications
- ftp passes usernames and passwords over the internet in plain text; therefore, enabling ftp access from the internet using passwords is a security risk.
- I am unaware of any security impact simply from installing smeserver-remoteuseraccess, but almost everything you can do with it does have a potential impact on your server's security.
- I don't know if groups are added to /etc/ftpusers by design or by accident. If by design, there is probably a security implication in allowing group access to your FTP sites other than the obvious one (the more people who can access your server insecurely, the worse your security).
Uninstall
yum remove smeserver-remoteuseraccess signal-event post-upgrade; signal-event reboot
Note the ibays, files, users, and groups created above remain on the server even after this conrib is removed. These will have to be handled according to your local policy.