# limiting user access: sftp/scp, ssh, cgi

## xpunkrockryanx

hello all,

i'm looking for some assistance in securing a server i have. it performs a number of functions for me personally, and i also have a number of local user accounts for friends/acquaintances to host personal web sites. some of these users i trust, some of them i don't. in the past, i used proftpd to jail the user to their home directory and then set their shell to /usr/bin/passwd (which i added to /etc/shells) so that they could ssh to change their password, but weren't allowed shell access. well now i'm getting rid of plain text ftp except for anon access in exchange for sftp/scp which leads me to a few questions:

how can i jail users into their home directory so that they can't read any files outside of it?

i've heard of the scponly shell to give them sftp/scp access, but not let them login. the gentoo ebuild seems to be masked at this point. any thoughts on this method, and when might the ebuild be unmasked? where should i look to find out how to install ebuilds that are masked?

php and perl are installed on this server. i don't want users to be able to write scripts that would be able to run with apache permissions to read other system files. how could this be accomplished?

how else should i keep untrusted users from have more than ftp access to their home directories?

thanks so much,

ryan

----------

## slartibartfasz

 *xpunkrockryanx wrote:*   

> php and perl are installed on this server. i don't want users to be able to write scripts that would be able to run with apache permissions to read other system files. how could this be accomplished?
> 
> 

 

u can disable all cgi execution for home directories in the http.conf - examples are inside - quite easy...

----------

## eztiger

Are you having a specific problem with ProFTPD? Or are you just wanting (wisely) to move away from plain text passwords wherever possible?

If you just want encryption it might be worth you looking at the 3rd party mod_tls module for Proftpd.

In my (limited) experience of trying to jail users into their home dirs it's very difficult to get right, especially if they want to be able to run programs.

Kev

----------

## xpunkrockryanx

as for cgi execution, i do want the users to be able to execute the cgi's, i just don't want their cgi scripts to have access to read files that their user account doesn't have access to.

the reason for switching away from proftpd is simply to eliminate cleartext password tools. maybe i'll look into this mod_tls. does anybody have experience with this module?

as for jailing the users, there are some users that i trust and would give shell access to. these users don't need to be jailed. there are some other users that i don't trust, and wouldn't give shell access to. these are the ones that i'd like to jail.

thanks for the suggestions!

-ryan

----------

## kashani

I'd just compile scponly yourself and install it. It's a fairly simple package and  I know a few people who have been running it for around a year under gentoo.

kashani

----------

## xpunkrockryanx

does the ssh suite have any way in itself to disallow sftp/scp access to directories outside the users home directory? i want to accomplish something similar to how i had proftpd set up where users with shell access weren't jailed at all, but users without shell access couldn't leave their home directory.

----------

## magnet

you can hardly do that ,since a shell account need access to various file over the system. maybe the option 'restricted' of bash could help you.

----------

## xpunkrockryanx

maybe you misunderstood. the users that *do* have shell access *should* have access to the entire system. i only want to restrict the users *without* shell access to their home directories.

----------

## blakes

http://www.sublimation.org/scponly/#features

It says there:

 *Quote:*   

> chroot: scponly can chroot to the user's home directory, disallowing access to the rest of the filesystem.

 

Blake

----------

## uzik

look at 'chroot' in the man pages.

Securing Perl and CGI is very difficult. It's hard to write a completely

secure cgi program unless you work at it. Unless you remove perl

and cgi completely you can guarantee no vulnerabilities.

disable everything you can.

audit your firewall and disable any access except to specific addresses.

Run something like satan to check for vulnerabilities.

Put untrusted users on their own machine.

Install disk quotas and a program to watch for modification of system files.

Mail logs to another machine for review often using cron.

Good Luck!

----------

## xpunkrockryanx

thanks for the tips! just as a note (and for anybody else's info that might be trying to accomplish the same thing as i was), i was able to get everything working correctly with proftpd running mod_tls. it comes standard with proftpd now, you just have to add the configuration data to the proftpd.conf file yourself.

-ryan

----------

