FTP Access to Ibays

From SME Server
Jump to navigationJump to search

FTP Access to Ibays

Author: mmccarn

References: Lots of helpful posts

Updated: 5/28/07

Objective

Allow chroot'ed access to a single ibay for a specific non-admin user.

Procedure

1. Configure the free dungog repository

The commands below will configure yum on your SME server to recognize the free dungog repository. As shown here, the repository will not be accessed unless you specifically instruct yum to do so using the "--enablerepo=dungog" directive.

(Commands below copied from http://www.dungog.net/sme/repo.php)

db yum_repositories set dungog repository \
 BaseURL http://sme.dungog.net/packages/smeserver/7.0/i386/dungog/ \
 EnableGroups yes \
 GPGCheck no \
 Name 'SME Server 7 - dungog' \
 Visible yes \
 exclude 'dansguardian smeserver-dansguardian'
 status disabled
/sbin/e-smith/expand-template /etc/yum.conf


2. Install the smeserver-remoteuseraccess contrib

yum --enablerepo=dungog install smeserver-remoteuseraccess
signal-event post-upgrade; signal-event reboot

3. Create a security group for the target user and ibay

Using server-manager:Collaboration:Groups:

  • create a new 'Group' for your user and ibay (for example "ibaygroup")

4. Create the target user, adding him/her to the group created in step 3

Using server-manager:Collaboration:Users

  • create a new user (for example 'ibayuser')

During creation

  • select the group created in step 3 under 'Group Membership'

After creation

  • Be sure to select 'modify' after creating the user in order to set a password.

5. Create the target ibay, granting read and write access to the group created in step 3

Using server-manager:Collaboration:Information bays

  • create a new ibay (for example 'ibay')
  • Set the "Group" to the group you created in step 3
  • Set "User access via file sharing or user ftp" to "Write=group, Read=group"
  • Set "Public access via web or anonymous ftp" to "Entire Internet (password required)"

6. Configure the SME ftp service for public access using password authentication

Using server-manager:Security:Remote Access

  • set "FTP access" to "Allow public access (entire Internet)"
  • set "FTP password access" to "Accept passwords from anywhere"

7. Configure chroot access using smeserver-remoteuseraccess

Using server-manager:Security:User Remote Access (new panel installed in step 2)

  • select the user created in step 4
  • select the desired chroot path in "Select Chroot Path". The pull-down menu will include all ibays plus links to both <ibayname>/files and <ibayname>/html.

If you only want users to be able to access an online ftp file store, select <ibayname>/files. If you want users to be able to update the html documents for <ibayname>, select <ibayname>/html. If <ibayname> has "Execution of dynamic content (CGI,PHP,SSI)" enabled, you probably want to selec <ibayname> so that users can upload files to both <ibayname>/html and <ibayname>/cgi-bin.

Security Implications

  • ftp passes usernames and passwords over the internet in plain text; therefore, enabling ftp access from the internet using passwords is a security risk.
  • I am unaware of any security impact from installing smeserver-remoteuseraccess