FTP lockdown

[ca2236]

Hi

We have a customer that has a handful of ftp accounts that are setup with a home directory of a particular user. From our testing, it seems that the ftp users are jailed to that directory. This is good and desired behavior. However, we have a request from our customer to keep the ftp accounts from being able to delete files in the home directory (while retaining the main ftp account's ability to delete anything)

In my test. I created a test file with the permissions of 500 (rw). However, the ftp account that I tested with was able to still delete the file. Is it possible to create this setup? I wasn't for sure since the ftp accounts don't seem to be officially on the system, but are virtual users in some way.

I'm using pure-ftpd. In additional tests, I found that when a virtual user uploads a file, it is owned by the primary user. I'm guessing that this is why a virtual user can delete files still with 500 (rw) permission set.

This would also preferably need to be setup per cpanel account and not system wide ideally, as if we get a new customer that might not this particular behavior.

Thanks for your help.

 

[cPRex]

Hey there! There aren't any native tools in cPanel that would provide this functionality. You could change the permissions of the FTP user's directory to 400 so they could only have read access to the entire directory, but for more advanced control I'd recommend submitting a feature request to get this added directly to the product.

 

[ankeshanand]

Hey there! There aren't any native tools in cPanel that would provide this functionality. You could change the permissions of the FTP user's directory to 400 so they could only have read access to the entire directory, but for more advanced control I'd recommend submitting a feature request to get this added directly to the product.

There is a Technical option for Doing so. Follow the Steps Below:

mkdir /etc/vsftpd/vsftpd_user_conf (This will be our Customer config directory for vsftpd)
nano /etc/vsftpd/vsftpd_user_conf/testuser (Name the User you want)
Enter the Things below:

#Disable access to the below command#
cmds_denied=DELE,RMD

grep user_config_dir /etc/vsftpd/vsftpd.conf
Enter this:
user_config_dir=/etc/vsftpd/vsftpd_user_conf

service vsftpd reload
service vsftpd restart

I don't know if it works in cPanel correctly but It works for my Centos7 correctly because I don't know how cPanel adds user accounts and Where. More preferable way is to add a virtual user as given below:

useradd -s /bin/false testuser

Technically, The cPanel accounts should also support custom config but I highly suggest you to take a backup before doing this as its not made for cPanel Services and works with vsftpd Normal Installations.

 

[DHSCOMTR]

Thanks

 

[cPRex]

While there might be workarounds that could get this working, there isn't an officially-supported way to perform that work inside cPanel.