The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

FTP Accounts - Using symlinks and bind mounts to control folder access - Best practices? Use fstab?

Discussion in 'Security' started by pkiff, Apr 28, 2014.

  1. pkiff

    pkiff Member

    Joined:
    Jul 31, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    I would like to create an FTP account that allows a user to access two sub-folders, one within the public_html folder, and the other outside of it, like this:
    /home/[cPanel-account]/public_html/subfolder-1
    /home/[cPanel-account]/not_public/subfolder-2

    I found these instructions:
    /http://www.ducea.com/2006/07/27/allowing-ftp-access-to-files-outside-the-home-directory-chroot/
    Allowing FTP access to files outside the home directory chroot - MDLog:/sysadmin

    So I've created matching subfolders within the FTP user's assigned FTP folder, so the folder structure the FTP user sees is something like this:
    /home/[cPanel-account]/ftp_user/[FTP-user-account]/subfolder-1
    /home/[cPanel-account]/ftp_user/[FTP-user-account]/subfolder-2

    And I've used the MOUNT command to create mount points that point from .../public_html/subfolder-1 to .../[FTP-user-account]/subfolder-1 and from .../public_html/subfolder-2 to .../[FTP-user-account]/subfolder-2.

    And this seems to work the way I want.

    But, these mount points currently need to be recreated whenever the server is rebooted. I understand that I need to edit ~/etc/fstab if I want these mount points to be permanent.

    Before fiddling with the fstab file, I'm looking for advice on whether there is a better way to do this. Also, I wonder if this opens up unnecessary security holes.

    Lastly, I think I need some tips on managing the fstab file. I see that cPanel currently has several other files related to fstab (fstab,v and fstab.quotas) and these look like they are generated automatically. Do I need to touch these if I want my Mounts to be permanent and survive reboots?

    My environment:
    VPS running within a XEN platform
    CentOS 6.x
    WHM 11.4x
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Re: FTP Accounts - Using symlinks and bind mounts to control folder access - Best practices? Use fst

    Hello :)

    The 'virtual chroot' feature of Pure-FTPd is now disabled by default. Thus, chroot becomes "/" for symlinks. For example, a symlink to /etc, will now point to /home/$username/public_html/ftpuser/etc. One alternative to symbolic links is to use bind mounts, which is what the URL you referenced is explaining. Note the files you referenced are not managed by cPanel, and are OS files. You may need to check with your VPS provider or it's software documentation to determine how to ensure those mounts are preserved.

    Thank you.
     
  3. pkiff

    pkiff Member

    Joined:
    Jul 31, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Re: FTP Accounts - Using symlinks and bind mounts to control folder access - Best practices? Use fst

    OK. So I gather that you don't have another suggestion for how to do this, and there is no way to do configure an FTP account this way (i.e. with access to two subfolders, one within public_html and the other above it) using just the cPanel interface. Fair enough.

    For other users who happen upon this thread looking for a solution to this problem, I'll note that the "fstab,v" and "fstab.quotas" are backup files or leftover detritus that can be safely ignored when editing the fstab file itself. Also, it seems possible that in some cPanel configurations, when you use bind mounts this way, some non-root cPanel users may be able to discover that such bind mounted folders exist in certain system displays - though they would/should not be able to actually view the contents of any of them. I remain unclear on whether there are additional security issues associated with this solution, and am not quite sure if such mounted folders are in fact visible to non-root users.
     
  4. pkiff

    pkiff Member

    Joined:
    Jul 31, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Re: FTP Accounts - Using symlinks and bind mounts to control folder access - Best practices? Use fst

    Just a quick follow-up to this, in case other people find this thread via search and try to use this method. In a default configuration, WHM will create new accounts not only in the default /home folder, but also in ANY folder that includes the word home. If it finds more than one folder with the word home in it, then it will use the one with the most space available.

    I have discovered that WHM treats these bind mounts as though they are potential home directories, and therefore you may end up with new accounts being created inside them. This may also lead to some weirdness when backup or other files are saved to "home" account folders. The basic problem is that because these bind mounts include "home" in their path, then they are mistakenly treated as separate home folders. See this thread for another example (not caused by bind mounts):
    New accounts are created in wrong directory
    http://forums.cpanel.net/f5/new-accounts-created-wrong-directory-207511.html

    To avoid this, you can follow the instructions in that thread: change the HOMEMATCH setting in the /etc/wwwacct.conf or use the WHM interface and leave the "Additional home directories..." section blank in the WHM > Basic cPanel & WHM Setup area.
     
Loading...

Share This Page