I've been using OS X Server for about a year or so, primarily
hosting small web sites. Up to this point, there has been only one
account on the server...mine...as Server Administrator.
Now, I'd like to be able to establish ftp accounts to allow users to
access their web folder in /Web Server/Documents/Their-Domain-Name.
I've set up a test user. I've provided a Share Point in WorkGroup
to the target web folder. It works.
First keeping anything user-ish in /Library/WebServer/... is a
foolish idea. Move it to something like /www/... instead. This keeps
users out of /Library, keeps /Library as a "library", and permits you
to separate your ephemeral files from your static files (useful when
doing backups, etc.)
The only thing that bothers me is that user account can navigate up
one level with an FTP client and see the list of other Share Points.
The answer to the question of your subject line is simple: "Yes".
The answer to the latter question immediately above is also "yes".
FTP, being a shell, has traditionally permitted, as all shells have,
a user to view the entire filesystem. What a logged in user gets as
their initial current working directory is another matter, but shells
see the entire filesystem.
This is not a problem, despite the paranoia of many naive sysadmin,
because the filesystem should not permit access to files the user
should not have access to through the traditional POSIX ownership and
permissions model and, on OSen that implement it, ACLs.
Security conscious^H^H^H^H^H^H^H^H^Hparanoid systems managers may
sometimes "jail" or "chroot" a shell, so that the user in question
sees as the filesystem just a subset of the real filesystem. This
generally requires a complete duplication of requisite parts of the
filesystem so the user has a complete working environment. (e.g.
/bin, /usr/bin, ...) But is all cases the user in a shell, be it csh,
bash, ssh or ftp, all see the "whole filesystem" as it exists to the
user.
Now what you did was indeed "correct" in that you properly set things
up and are receiving the expected behavior. What you "want" however
is another matter. You don't want the expected and traditional
behavior that ftp users expect. You want them to see a restricted
view of the filesystem. As others have pointed out this can be
accomplished in various ways.
At 6:03 PM +0200 8/11/06, email@hidden wrote:
This is not true for SFTP. If you use Secure FTP you can cd up a
level even if you have spesified that they can only see Home
Directories. I ran into this issue a couple of weeks ago.
"SFTP" is *not* FTP by any measure. SFTP (the ssh tool) is
effectively ssh, which utilizes a full shell and full view of the
filesystem, as expected of a shell or ssh. In order to affect the
poster's desired behavior you need to create a ssh chroot jail, which
is a huge waste of time, effort and disk space.
And BTW, technically SFTP is in actuality not Secure FTP (SFTP is a
misnomer), as SFTP is defined to be the Simple File Transfer
Protocol, RFC 913 ;)
There's also FTP over ssh and FTPS
--
-dhan
------------------------------------------------------------------------
Dan Shoop AIM: iWiring
Systems & Networks Architect http://www.ustsvs.com/
email@hidden http://www.iwiring.net/
1-714-363-1174
iWiring provides systems and networks support for Mac OS X, unix, and
Open Source application technologies at affordable rates.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
