FTP Access to Ibays

From SME Server
Revision as of 10:52, 23 January 2009 by Snoble (talk | contribs) (remove dungog repo and numbering)
Jump to navigation Jump to search

IMPORTANT NOTE about group access to ftp sites

As of 6/5/7 SME automatically adds any 'group' you create to /etc/ftpusers - thereby denying ftp access to that group.

I do not know if this behavior is by design, or by accident.

In order to enable group-based ftp access to your system you will need to change the default behavior.

FTP Access to Ibays

Applies to: SME 7.1.3 / smeserver-remoteuseraccess 1.2-12
References: Lots of helpful posts
Author: mmccarn

  • Updated: 6/5/07

Objective

Allow chroot'ed access to a single ibay for a specific non-admin user.

Procedure

Install the smeserver-remoteuseraccess contrib

yum  --enablerepo=smecontribs install smeserver-remoteuseraccess
signal-event post-upgrade; signal-event reboot

Create a security group for the target user and ibay

Using server-manager:Collaboration:Groups:

  • create a new 'Group' for your user and ibay (for example "ibaygroup")

Create the target user, adding him/her to the group created above

Using server-manager:Collaboration:Users

  • create a new user (for example 'ibayuser')

During creation

  • select the group created above under 'Group Membership'

After creation

  • 'modify' your new user and set a password

Create the target ibay, granting read and write access to the group created above

Using server-manager:Collaboration:Information bays

  • create a new ibay (for example 'ibay')
  • Set the "Group" to the group you created above
  • Set "User access via file sharing or user ftp" to "Write=group, Read=group"
  • Set "Public access via web or anonymous ftp" to "Entire Internet (password required)"

Configure the SME ftp service for public access using password authentication

Using server-manager:Security:Remote Access

  • set "FTP access" to "Allow public access (entire Internet)"
  • set "FTP password access" to "Accept passwords from anywhere"

Configure chroot access using smeserver-remoteuseraccess

Using server-manager:Security:User Remote Access (new panel installed above)

  • select the user created above
  • select the desired chroot path in "Select Chroot Path". The pull-down menu will include all ibays plus links to both <ibayname>/files and <ibayname>/html.

If you only want users to be able to access an online ftp file store, select <ibayname>/files. If you want users to be able to update the html documents for <ibayname>, select <ibayname>/html. If <ibayname> has "Execution of dynamic content (CGI,PHP,SSI)" enabled, you probably want to select <ibayname> so that users can upload files to both <ibayname>/html and <ibayname>/cgi-bin.

Security Implications

  • ftp passes usernames and passwords over the internet in plain text; therefore, enabling ftp access from the internet using passwords is a security risk.
  • I am unaware of any security impact simply from installing smeserver-remoteuseraccess, but almost everything you can do with it does have a potential impact on your server's security.
  • I don't know if groups are added to /etc/ftpusers by design or by accident. If by design, there is probably a security implication in allowing group access to your FTP sites other than the obvious one (the more people who can access your server insecurely, the worse your security).