How to jail FTP users into their home directory

  • Yesterday I tried to set up a FTP server for internal use. We have a lot of mobile devices around in the 24.000 pallets warehouse, they are all connected via WLAN and some of them are of different make. We are running a self-developed app to connect to an internal SQL server and they sometimes need an update, but they have to pick it using different accounts. So I need to jail them into their own directory.


    That let me ripping off the small amout of remaining hairs until I found a way how to do that and now I'm wondering if anybody has made it by using another way.


    At first I tried the "DefaultRoot ~" directive in the parameter window inside the FTP server config, but that did not work. The user always ended up in the /srv/ftp directory (The logfile shows that) even if I activate the use of home directories under user/settings. These home dirs will be created when I add a new user, but proftp seems to ignore that (Or doesn't know about that, possibly the system-wide $HOME setting will not change).
    I added a setting in /etc/default/openmediavault which reads OMV_PROFTPD_DEFAULTROOT="/media/<UUID-OF-RAID>/<sharename>/%u and that works. But I've read some rumors that future versions of proftpd may not support variables like "%u" anymore.


    Any other ways to do that?

    Homebox: Bitfenix Prodigy Case, ASUS E45M1-I DELUXE ITX, 8GB RAM, 5x 4TB HGST Raid-5 Data, 1x 320GB 2,5" WD Bootdrive via eSATA from the backside
    Companybox 1: Standard Midi-Tower, Intel S3420 MoBo, Xeon 3450 CPU, 16GB RAM, 5x 2TB Seagate Data, 1x 80GB Samsung Bootdrive - testing for iSCSI to ESXi-Hosts
    Companybox 2: 19" Rackservercase 4HE, Intel S975XBX2 MoBo, C2D@2200MHz, 8GB RAM, HP P212 Raidcontroller, 4x 1TB WD Raid-0 Data, 80GB Samsung Bootdrive, Intel 1000Pro DualPort (Bonded in a VLAN) - Temp-NFS-storage for ESXi-Hosts

  • Hmmm.... I didn't mention permissions, they are set correctly for each home directory and when a user connects via FTP into his home dir he can up- and download and so on.


    I am interested to know if there is another way to lead every user automatically into his home dir other than using %u with the DefaultRoot directive without the need to step forward into the right directory.

    Homebox: Bitfenix Prodigy Case, ASUS E45M1-I DELUXE ITX, 8GB RAM, 5x 4TB HGST Raid-5 Data, 1x 320GB 2,5" WD Bootdrive via eSATA from the backside
    Companybox 1: Standard Midi-Tower, Intel S3420 MoBo, Xeon 3450 CPU, 16GB RAM, 5x 2TB Seagate Data, 1x 80GB Samsung Bootdrive - testing for iSCSI to ESXi-Hosts
    Companybox 2: 19" Rackservercase 4HE, Intel S975XBX2 MoBo, C2D@2200MHz, 8GB RAM, HP P212 Raidcontroller, 4x 1TB WD Raid-0 Data, 80GB Samsung Bootdrive, Intel 1000Pro DualPort (Bonded in a VLAN) - Temp-NFS-storage for ESXi-Hosts

  • You can define a share to be a home folder for all OMV interface users.


    That's what I already had defined before I started to find a way to chroot them.


    Ok. A little bit more of digging, indicates that instead of whole path you can use ~ at DefaultChroot and the users will be chrooted into their home dirs.


    Did you try that on your system and it works? Interesting... on mine it didn't. The simple use of "DefaultRoot ~" leads the users to /srv/ftp.

    Homebox: Bitfenix Prodigy Case, ASUS E45M1-I DELUXE ITX, 8GB RAM, 5x 4TB HGST Raid-5 Data, 1x 320GB 2,5" WD Bootdrive via eSATA from the backside
    Companybox 1: Standard Midi-Tower, Intel S3420 MoBo, Xeon 3450 CPU, 16GB RAM, 5x 2TB Seagate Data, 1x 80GB Samsung Bootdrive - testing for iSCSI to ESXi-Hosts
    Companybox 2: 19" Rackservercase 4HE, Intel S975XBX2 MoBo, C2D@2200MHz, 8GB RAM, HP P212 Raidcontroller, 4x 1TB WD Raid-0 Data, 80GB Samsung Bootdrive, Intel 1000Pro DualPort (Bonded in a VLAN) - Temp-NFS-storage for ESXi-Hosts

  • Yes, please. I tried that by inserting the command in the web-gui under ftp where you can insert extra options and by inserting it in the openmediavault file as described above. Either way didn't work.
    Commands inserted in the extra options are directly transferred to the proftp.conf file. I have "ServerIdent Off" in the extra options and this can be found in the conf-file, too.

    Homebox: Bitfenix Prodigy Case, ASUS E45M1-I DELUXE ITX, 8GB RAM, 5x 4TB HGST Raid-5 Data, 1x 320GB 2,5" WD Bootdrive via eSATA from the backside
    Companybox 1: Standard Midi-Tower, Intel S3420 MoBo, Xeon 3450 CPU, 16GB RAM, 5x 2TB Seagate Data, 1x 80GB Samsung Bootdrive - testing for iSCSI to ESXi-Hosts
    Companybox 2: 19" Rackservercase 4HE, Intel S975XBX2 MoBo, C2D@2200MHz, 8GB RAM, HP P212 Raidcontroller, 4x 1TB WD Raid-0 Data, 80GB Samsung Bootdrive, Intel 1000Pro DualPort (Bonded in a VLAN) - Temp-NFS-storage for ESXi-Hosts

    • Offizieller Beitrag

    You have to add the env variable at default location for omv OMV_PROFTPD_DEFAULTROOT="~" and enable/disable or make a change in the webUI and omv reloads and rewrites the proftpd.conf.


    Take in consideration:
    - you don't have to add the users home folder as share
    - any share you add to ftp will be displayed inside their home folders. That's normal because in this case proftpd is using multiple chroots for each user

  • You have to add the env variable at default location for omv OMV_PROFTPD_DEFAULTROOT="~" and enable/disable or make a change in the webUI and omv reloads and rewrites the proftpd.conf.


    Sorry, I forgot to tell that it is working now. I forgot to use the double quotation marks... :rolleyes:

    Homebox: Bitfenix Prodigy Case, ASUS E45M1-I DELUXE ITX, 8GB RAM, 5x 4TB HGST Raid-5 Data, 1x 320GB 2,5" WD Bootdrive via eSATA from the backside
    Companybox 1: Standard Midi-Tower, Intel S3420 MoBo, Xeon 3450 CPU, 16GB RAM, 5x 2TB Seagate Data, 1x 80GB Samsung Bootdrive - testing for iSCSI to ESXi-Hosts
    Companybox 2: 19" Rackservercase 4HE, Intel S975XBX2 MoBo, C2D@2200MHz, 8GB RAM, HP P212 Raidcontroller, 4x 1TB WD Raid-0 Data, 80GB Samsung Bootdrive, Intel 1000Pro DualPort (Bonded in a VLAN) - Temp-NFS-storage for ESXi-Hosts

  • Guess thats solved then.


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!