Filed with Developers Ability to disable SFTP [Case 59374]

[bspiller]

I submitted a support ticket due to issues with users being able to log into SFTP with SSH disabled. They recommended I submit a thread here requesting this feature so it doesn't need to be done by hand on all accounts.

Can we please get a feature in WHM Manager to specify a shell that does not allow SFTP access.

[cPanelDavidG]

I submitted a support ticket due to issues with users being able to log into SFTP with SSH disabled. They recommended I submit a thread here requesting this feature so it doesn't need to be done by hand on all accounts.

Can we please get a feature in WHM Manager to specify a shell that does not allow SFTP access.

I have updated the title of this thread to better describe the functionality you desire so others looking for this functionality can vocalize their support or input.

[jack01]

Yes, it is disturbing that any user with SFTP access can browse around root level (/) system folders. Is there really no way currently of stopping this, short of disabling FTP/SSH altogether?

[dmwalk]

I just discovered that SFTP users can go above the home directory and browse all root level system folders. I thought disabling shell access for the account would stop it, but it didn't.

What we would like is simply to keep all FTP/SFTP access to the users account, as well as SSH access, if enabled.

[cPanelDavidG]

I just discovered that SFTP users can go above the home directory and browse all root level system folders. I thought disabling shell access for the account would stop it, but it didn't.

What we would like is simply to keep all FTP/SFTP access to the users account, as well as SSH access, if enabled.

The system (SFTP) user is unable to read, write or execute any file they are not given permission to (regardless of ability to read a directory's contents). Additionally, this ability for system users to traverse above their home directory has been a function of *nix systems for decades.

[aghconsultores]

You can use chroot to limit sftp access to home accounts or disable username/password authentication and generate RSA Keys only for authorized users.

[spadmin]

cPanel, I also wish that my clients using sftp would not have the ability to go beyond there home directory. Yes, the can't make changes, but they sure can download the files like /etc/passwd, config files to see which ports are being used, and others. This is not an easy thing for any server admin to swallow.

As to your statement that

has been a function of *nix systems for decades

Should not be your only answer. I would hope that after decades we would fine a better solution.

Anyways, I think there is.
Jailkit

I have used ISPConfig before with Jailkit which does exactly that. When creating the user it adds some info to there home directory.

Code:

user:x:5001:5001::/var/www/clients/client0/web1/./home/user:/usr/sbin/jk_chrootsh

This allows me to login with sftp but I cannot see or change directories beyond "/var/www/clients/client0/web1/" instead it just shows as "/" as if that is all there is to my account.

So instead of seeing this

Code:

/var/www/clients/client0/web1/
/var/www/clients/client0/web1/public_html
/var/www/clients/client0/web1/public_html/index.html

I see this

Code:

/
/public_html
/public_html/index.html

I hope this helps and maybe we can have this feature in the future.

Thanks

[monarobase]

+1 this should make things easier for SFTP users to understand as it acts the same as FTP.

[cPanelDavidG]

So essentially you don't want SFTP disabled entirely (like the title of this thread implies), just jail it so users cannot go above their home directory?

[bspiller]

So essentially you don't want SFTP disabled entirely (like the title of this thread implies), just jail it so users cannot go above their home directory?

That would work.

[DomineauX]

+1 for jailing sftp

[monarobase]

I too like the idea of jailing SFTP, once jailed I do not see the need / point of actually disabling it.

[cPanelDavidG]

Yes, it is disturbing that any user with SFTP access can browse around root level (/) system folders. Is there really no way currently of stopping this, short of disabling FTP/SSH altogether?

Following up with this, switching shell access from None to Jailed will prevent this. Admittedly, this is not an intuitive solution.

[cPanelDavidG]

Jailkit

So, basically jailed shell but limited further to just allow SFTP commands. Or is there some additional benefit I inadvertently overlooked with this system?

[Mise]

I wonder about an SFTP access to the same jailed space configured by Webdisk. Customers just demands a place to put their files but most of them reject the Webdisk. They insist to use SFTP to use their own programs.
Maybe adding another port to Webdisk, to allow SFTP access to the same space.