Difference between revisions of "FTP Access to Ibays"

From SME Server
Jump to navigationJump to search
 
(10 intermediate revisions by 6 users not shown)
Line 1: Line 1:
== '''IMPORTANT NOTE about group access to ftp sites''' ==
+
{{Note box|msg='''About group access to ftp sites'''
As of 6/5/7 SME automatically adds any 'group' you create to /etc/ftpusers - thereby ''denying'' ftp access to that group.
+
As of 6/5/7 SME Server automatically adds any 'group' you create to /etc/ftpusers - thereby ''denying'' ftp access to that group.
* bugzilla: http://bugs.contribs.org/show_bug.cgi?id=3043
+
 
 +
I do not know if this behavior is by design, or by accident.
 +
 
 +
In order to enable group-based ftp access to your system you will need to change the default behavior.
 +
 
 +
* bugzilla: [[bugzilla:3043]]
 
* Workaround (french, but easy to understand): http://forums.contribs.org/index.php?topic=37168.0
 
* Workaround (french, but easy to understand): http://forums.contribs.org/index.php?topic=37168.0
* Workaround (english): http://forums.contribs.org/index.php?topic=37307.0
+
* Workaround (english): http://forums.contribs.org/index.php?topic=37307.0}}
  
 
== FTP Access to Ibays ==
 
== FTP Access to Ibays ==
Line 15: Line 20:
  
 
=== Procedure ===
 
=== Procedure ===
==== 1. Configure the free dungog repository ====
 
The commands below will configure yum on your SME server to recognize the free dungog repository. As shown here, the repository will not be accessed unless you specifically instruct yum to do so using the "--enablerepo=dungog" directive.
 
{{Repository|dungog}}
 
  
==== 2. Install the smeserver-remoteuseraccess contrib ====
+
==== Install the smeserver-remoteuseraccess contrib ====
  yum --enablerepo=dungog install smeserver-remoteuseraccess
+
  yum --enablerepo=smecontribs install smeserver-remoteuseraccess
 
  signal-event post-upgrade; signal-event reboot
 
  signal-event post-upgrade; signal-event reboot
  
==== 3. Create a security group for the target user and ibay ====
+
==== Create a security group for the target user and ibay ====
 
Using server-manager:Collaboration:Groups:
 
Using server-manager:Collaboration:Groups:
 
* create a new 'Group' for your user and ibay (for example "ibaygroup")
 
* create a new 'Group' for your user and ibay (for example "ibaygroup")
  
==== 4. Create the target user, adding him/her to the group created in step 3 ====
+
==== Create the target user, adding him/her to the group created above ====
 
Using server-manager:Collaboration:Users
 
Using server-manager:Collaboration:Users
 
* create a new user (for example 'ibayuser')
 
* create a new user (for example 'ibayuser')
  
 
During creation
 
During creation
* select the group created in step 3 under 'Group Membership'
+
* select the group created above under 'Group Membership'
  
 
After creation
 
After creation
 
* 'modify' your new user and set a password
 
* 'modify' your new user and set a password
  
==== 5. Create the target ibay, granting read and write access to the group created in step 3 ====
+
==== Create the target ibay, granting read and write access to the group created above ====
 
Using server-manager:Collaboration:Information bays
 
Using server-manager:Collaboration:Information bays
 
* create a new ibay (for example 'ibay')
 
* create a new ibay (for example 'ibay')
* Set the "Group" to the group you created in step 3
+
* Set the "Group" to the group you created above
 
* Set "User access via file sharing or user ftp" to "Write=group, Read=group"
 
* Set "User access via file sharing or user ftp" to "Write=group, Read=group"
 
* Set "Public access via web or anonymous ftp" to "Entire Internet (password required)"
 
* Set "Public access via web or anonymous ftp" to "Entire Internet (password required)"
  
==== 6. Configure the SME ftp service for public access using password authentication ====
+
==== Configure the SME ftp service for public access using password authentication ====
 
Using server-manager:Security:Remote Access
 
Using server-manager:Security:Remote Access
 
* set "FTP access" to "Allow public access (entire Internet)"
 
* set "FTP access" to "Allow public access (entire Internet)"
 
* set "FTP password access" to "Accept passwords from anywhere"
 
* set "FTP password access" to "Accept passwords from anywhere"
 
   
 
   
==== 7. Configure chroot access using smeserver-remoteuseraccess ====
+
==== Configure chroot access using smeserver-remoteuseraccess ====
Using server-manager:Security:User Remote Access (new panel installed in step 2)
+
Using server-manager:Security:User Remote Access (new panel installed above)
* select the user created in step 4
+
* select the user created above
 
* select the desired chroot path in "Select Chroot Path".  The pull-down menu will include all ibays plus links to both <ibayname>/files and <ibayname>/html.
 
* select the desired chroot path in "Select Chroot Path".  The pull-down menu will include all ibays plus links to both <ibayname>/files and <ibayname>/html.
  
If you only want users to be able to access an online ftp file store, select <ibayname>/files.  If you want users to be able to update the html documents for <ibayname>, select <ibayname>/html.  If <ibayname> has "Execution of dynamic content (CGI,PHP,SSI)" enabled, you probably want to selec <ibayname> so that users can upload files to both <ibayname>/html and <ibayname>/cgi-bin.
+
If you only want users to be able to access an online ftp file store, select <ibayname>/files.  If you want users to be able to update the html documents for <ibayname>, select <ibayname>/html.  If <ibayname> has "Execution of dynamic content (CGI,PHP,SSI)" enabled, you probably want to select <ibayname> so that users can upload files to both <ibayname>/html and <ibayname>/cgi-bin.
  
 
=== Security Implications ===
 
=== Security Implications ===
 
* ftp passes usernames and passwords over the internet in plain text; therefore, enabling ftp access from the internet using passwords is a security risk.
 
* ftp passes usernames and passwords over the internet in plain text; therefore, enabling ftp access from the internet using passwords is a security risk.
 
* I am unaware of any security impact simply from installing smeserver-remoteuseraccess, but almost everything you can do with it does have a potential impact on your server's security.
 
* I am unaware of any security impact simply from installing smeserver-remoteuseraccess, but almost everything you can do with it does have a potential impact on your server's security.
 +
* I don't know if groups are added to /etc/ftpusers by design or by accident.  If by design, there is probably a security implication in allowing group access to your FTP sites other than the obvious one (the more people who can access your server insecurely, the worse your security).
 +
 +
=== Uninstall ===
 +
yum remove smeserver-remoteuseraccess
 +
signal-event post-upgrade; signal-event reboot
  
 +
Note the ibays, files, users, and groups created above remain on the server even after this conrib is removed. These will have to be handled according to your local policy.
 
----
 
----
 
[[Category:Howto]]
 
[[Category:Howto]]
 +
[[Category:Administration:Remote Access]]

Latest revision as of 19:35, 28 October 2015

Important.png Note:
About group access to ftp sites

As of 6/5/7 SME Server automatically adds any 'group' you create to /etc/ftpusers - thereby denying ftp access to that group.

I do not know if this behavior is by design, or by accident.

In order to enable group-based ftp access to your system you will need to change the default behavior.


FTP Access to Ibays

Applies to: SME 7.1.3 / smeserver-remoteuseraccess 1.2-12
References: Lots of helpful posts
Author: mmccarn

  • Updated: 6/5/07

Objective

Allow chroot'ed access to a single ibay for a specific non-admin user.

Procedure

Install the smeserver-remoteuseraccess contrib

yum  --enablerepo=smecontribs install smeserver-remoteuseraccess
signal-event post-upgrade; signal-event reboot

Create a security group for the target user and ibay

Using server-manager:Collaboration:Groups:

  • create a new 'Group' for your user and ibay (for example "ibaygroup")

Create the target user, adding him/her to the group created above

Using server-manager:Collaboration:Users

  • create a new user (for example 'ibayuser')

During creation

  • select the group created above under 'Group Membership'

After creation

  • 'modify' your new user and set a password

Create the target ibay, granting read and write access to the group created above

Using server-manager:Collaboration:Information bays

  • create a new ibay (for example 'ibay')
  • Set the "Group" to the group you created above
  • Set "User access via file sharing or user ftp" to "Write=group, Read=group"
  • Set "Public access via web or anonymous ftp" to "Entire Internet (password required)"

Configure the SME ftp service for public access using password authentication

Using server-manager:Security:Remote Access

  • set "FTP access" to "Allow public access (entire Internet)"
  • set "FTP password access" to "Accept passwords from anywhere"

Configure chroot access using smeserver-remoteuseraccess

Using server-manager:Security:User Remote Access (new panel installed above)

  • select the user created above
  • select the desired chroot path in "Select Chroot Path". The pull-down menu will include all ibays plus links to both <ibayname>/files and <ibayname>/html.

If you only want users to be able to access an online ftp file store, select <ibayname>/files. If you want users to be able to update the html documents for <ibayname>, select <ibayname>/html. If <ibayname> has "Execution of dynamic content (CGI,PHP,SSI)" enabled, you probably want to select <ibayname> so that users can upload files to both <ibayname>/html and <ibayname>/cgi-bin.

Security Implications

  • ftp passes usernames and passwords over the internet in plain text; therefore, enabling ftp access from the internet using passwords is a security risk.
  • I am unaware of any security impact simply from installing smeserver-remoteuseraccess, but almost everything you can do with it does have a potential impact on your server's security.
  • I don't know if groups are added to /etc/ftpusers by design or by accident. If by design, there is probably a security implication in allowing group access to your FTP sites other than the obvious one (the more people who can access your server insecurely, the worse your security).

Uninstall

yum remove smeserver-remoteuseraccess
signal-event post-upgrade; signal-event reboot

Note the ibays, files, users, and groups created above remain on the server even after this conrib is removed. These will have to be handled according to your local policy.