The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

FTP Accounts/File users

Discussion in 'Database Discussions' started by Machiavelli, Jul 5, 2005.

  1. Machiavelli

    Machiavelli Member

    Joined:
    Jul 5, 2005
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Alright, I am fairly new to working with file users/permissions. I talked to a pal of mine who owns a server, and he explained some things to me, but he doesn't know how it all works in a Cpanel controlled environment. What I am trying to do is create FTP users that have their own directory, but are not able to read the files in my main public_html folder, but I'm not sure how to change their permissions. I don't want the people that I have given directories to, to be able to view my own files in the public_html and steal my Database connection info, or any of my own sensitive files. So how can I change the permissions for these FTP users, so that they cannot even read any directory but their own? Thanks in advance for the help.
     
  2. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    FTP Account Maintenance

    Add FTP Account and place the folder name you want them to have access to
     
  3. Machiavelli

    Machiavelli Member

    Joined:
    Jul 5, 2005
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    ...

    You're a genius. I think a trained ape could figure that out. My point is, that even when I have restricted them to their own folder, they can still use PHP file functions to read my top level files. -_-
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Not much at all that you can do about that as all scripts running under the same cPanel account will run under the same unix username.
     
  5. Machiavelli

    Machiavelli Member

    Joined:
    Jul 5, 2005
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Are you sure about that?

    Because when I create a different FTP account with a restricted folder, it creates a different user, who doesn't have full rights on the top level files, but can still read them. So I don't think that all of my files are running under the same unix username.
     
  6. lloyd_tennison

    lloyd_tennison Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    698
    Likes Received:
    1
    Trophy Points:
    18
    System/Cpanel/unix user - NOT ftp username. In other words, /home/Cpanelusername/public_html


    For an ftp user it would be /home/Cpanelusername/public_html/ftpusername


    A quick tip if uncertain - the Cpanel login is always the username for the entire domain -that is what Chirpy is talking about with scripts.
     
  7. Machiavelli

    Machiavelli Member

    Joined:
    Jul 5, 2005
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    ...-_-

    Look, I don't care about the paths to my files. I don't care about my Cpanel username.

    All I am trying to ask, is how I can change the permissions on the unix users for each of my FTP accounts. And I know that I can limit them to a folder, but that still does not take away their read access on my public_html files, so they can use PHP file functions to steal the contents of my own files, such as my Database connection info, or any other sensitive files I have.
     
  8. Machiavelli

    Machiavelli Member

    Joined:
    Jul 5, 2005
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Ok, how about this...

    How can I add all of my FTP users, aside from the main, clearly, into a unix "group"? Then I will easily know how to change the permissions accordingly. Does anybody know that?
     
  9. linux-image

    linux-image Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    1,192
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    Root Administrator
    =============================================
    You're a genius. I think a trained ape could figure that out. My point is, that even when I have restricted them to their own folder, they can still use PHP file functions to read my top level files. -_-
    =============================================
    too bad :eek:

    =============================================
    Not much at all that you can do about that as all scripts running under the same cPanel account will run under the same unix username.
    =============================================
    this is the only answer appropriate.

    =============================================
    Because when I create a different FTP account with a restricted folder, it creates a different user, who doesn't have full rights on the top level files, but can still read them. So I don't think that all of my files are running under the same unix username.
    =============================================
    wrong ! when u create an ftp account with username "test@hello.com" inside your domain "hello.com" with username "hello" inside Cpanel, all the files inside the /home/www/hello folder will have permission as "hello".

    it is true that that you have created a username with limited upload access but not limited read access.. infact the tact that your newly created username has the domain name "hello.com" attached at its tail shows that it can acces the files inside hello.com.

    =============================================
    Look, I don't care about the paths to my files. I don't care about my Cpanel username.
    =============================================
    that dosent look like a request for suggestion or help, rather an Order ! :rolleyes:

    =============================================
    how I can change the permissions on the unix users for each of my FTP accounts. And I know that I can limit them to a folder, but that still does not take away their read access on my public_html files, so they can use PHP file functions to steal the contents of my own files, such as my Database connection info, or any other sensitive files I have.
    =============================================
    as already mentioned, nothing can be done about it. since the username for files inside the ftp folder of the newly created user and the main files of ur domain are the same.
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    As linux-image has said, you can't, and the explanations that you dismiss are the reasons why within the context of the cPanel configuration.
     
  11. Machiavelli

    Machiavelli Member

    Joined:
    Jul 5, 2005
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Great

    So in other words, Cpanel is completely insecure. Great software here, the users don't even have the ability to stop the restricted FTP accounts from stealing their files. You'd think that if they were going to design something to limit FTP access to a folder, they'd actually *gasp* limit it, instead of just putting up an insecure block that a monkey could find its way around.
     
  12. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    cPanel is not all singing all dancing. If you have very specific requirements then you're going to have to look at doing such things at an OS level rather than through a control panel. You appear to have missed the issue somewhat, though. Even if you could restrict FTP access, this would not solve your problem as someone could upload a script that accesses the rest of the site. That's simply how apache works (which cares nothing of FTP users) where the daemon through the virtualhost must have equal access to all files within a directory tree.

    As to insecurity, welcome to the world of shared webhosting. It is by its nature both insecure and a rabbit warren of holes, but that's the risk you run havng a disperate group of people on a single server. The only way around that is to look into VPS systems and the such like.
     
  13. Machiavelli

    Machiavelli Member

    Joined:
    Jul 5, 2005
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    ...

    ...-_- Glad to see you've been paying attention...that is exactly what I have been saying, and trying to find a fix for. -_-

    God damn.
     
    #13 Machiavelli, Jul 6, 2005
    Last edited: Jul 6, 2005
  14. rlueth

    rlueth Member

    Joined:
    Feb 20, 2004
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Donald, Oregon
    Try this,
    Create an ftpuser in cpanel, Shell in as root. cd in a (your)privliged user acct /home.
    cat > .htaccess [enter]
    AddType text/html php
    ^c Ctrl + c.
    ln -s /home/privliged_user/.htaccess /home/targetactt/public_html/ftpuser/.htaccess [enter]
    cd /home/targetactt/public_html/ftpuser/
    chown privliged_usr .htaccess
    chmod 0744 .htaccess
    this will disable php from ftpuser..
    Might Work.. if you can lock the .htaccess file?

    Better to edit httpd.conf and add something like this between the <virtualHost>

    <Location /ftpuser>
    AddType text/html .php
    </Location>

    </VirtualHost>
    Restart apache.

    http://httpd.apache.org/docs/mod/mod_mime.html#addtype

    Regards...
     
    #14 rlueth, Jul 6, 2005
    Last edited: Jul 6, 2005
  15. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I don't see how that would prevent the unprivileged user from writing a simple script from reading the rest of the files on the site. A .htaccess file won't prevent that.
     
  16. rlueth

    rlueth Member

    Joined:
    Feb 20, 2004
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Donald, Oregon
    chirpy Hi,

    perhaps htaccess is not the ideal way to deal with this, however Apache has many directives
    to controll directory security. try this:

    <VirtualHost 192.168.0.1>
    ServerAlias www.domain.com domain.com
    ServerAdmin webmaster@domain.com
    DocumentRoot /usr/home/domain/public_html
    BytesLog domlogs/domain.com-bytes_log
    ServerName www.domain.com
    User domain
    Group domain
    CustomLog domlogs/domain.com combined
    ScriptAlias /cgi-bin/ /usr/home/domain/public_html/cgi-bin/
    <Location /ftpuser>
    Options None
    AddType text/html .php
    </Location>
    </VirtualHost>
    Here I use the<Location> Options None, AddType text/html .php </Location>
    to disable cgi and php, I set Options to none. No Scripting should run.

    I cant see how the user is now going to be running scripts out of this directory?
    And in a chrooted ftp shell how can a Non-privileged user now do anything?
    The reason I went for the .htaccess is an old habit formed from lack of "Root"..

    Regards..
     
    #16 rlueth, Jul 7, 2005
    Last edited: Jul 7, 2005
  17. linux-image

    linux-image Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    1,192
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    Root Administrator
  18. rlueth

    rlueth Member

    Joined:
    Feb 20, 2004
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Donald, Oregon
    Sure, But it will not parse php script.
     
  19. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I didn't get the impression from the OP (if it was the OP) that they also wanted to prevent the script execution completely in the FTP area. If they did want to prevent that, then sure, that's perfectly doable, if they didn't, then your idea obviously would not work.
     
  20. sime

    sime Active Member

    Joined:
    Oct 16, 2005
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Well, Machiavelli was no Einstein.
     
Loading...

Share This Page