FTP Access to Ibays
- 1 FTP Access to Ibays
- 1.1 Objective
- 1.2 Procedure
- 1.2.1 Install the smeserver-remoteuseraccess contrib
- 1.2.2 Create a security group for the target user and ibay
- 1.2.3 Create the target user, adding him/her to the group created above
- 1.2.4 Create the target ibay, granting read and write access to the group created above
- 1.2.5 Configure the SME ftp service for public access using password authentication
- 1.2.6 Configure chroot access using smeserver-remoteuseraccess
- 1.3 Security Implications
FTP Access to Ibays
Applies to: SME 7.1.3 / smeserver-remoteuseraccess 1.2-12
References: Lots of helpful posts
- Updated: 6/5/07
Allow chroot'ed access to a single ibay for a specific non-admin user.
Install the smeserver-remoteuseraccess contrib
yum --enablerepo=smecontribs install smeserver-remoteuseraccess signal-event post-upgrade; signal-event reboot
Create a security group for the target user and ibay
- create a new 'Group' for your user and ibay (for example "ibaygroup")
Create the target user, adding him/her to the group created above
- create a new user (for example 'ibayuser')
- select the group created above under 'Group Membership'
- 'modify' your new user and set a password
Create the target ibay, granting read and write access to the group created above
Using server-manager:Collaboration:Information bays
- create a new ibay (for example 'ibay')
- Set the "Group" to the group you created above
- Set "User access via file sharing or user ftp" to "Write=group, Read=group"
- Set "Public access via web or anonymous ftp" to "Entire Internet (password required)"
Configure the SME ftp service for public access using password authentication
Using server-manager:Security:Remote Access
- set "FTP access" to "Allow public access (entire Internet)"
- set "FTP password access" to "Accept passwords from anywhere"
Configure chroot access using smeserver-remoteuseraccess
Using server-manager:Security:User Remote Access (new panel installed above)
- select the user created above
- select the desired chroot path in "Select Chroot Path". The pull-down menu will include all ibays plus links to both <ibayname>/files and <ibayname>/html.
If you only want users to be able to access an online ftp file store, select <ibayname>/files. If you want users to be able to update the html documents for <ibayname>, select <ibayname>/html. If <ibayname> has "Execution of dynamic content (CGI,PHP,SSI)" enabled, you probably want to select <ibayname> so that users can upload files to both <ibayname>/html and <ibayname>/cgi-bin.
- ftp passes usernames and passwords over the internet in plain text; therefore, enabling ftp access from the internet using passwords is a security risk.
- I am unaware of any security impact simply from installing smeserver-remoteuseraccess, but almost everything you can do with it does have a potential impact on your server's security.
- I don't know if groups are added to /etc/ftpusers by design or by accident. If by design, there is probably a security implication in allowing group access to your FTP sites other than the obvious one (the more people who can access your server insecurely, the worse your security).