There are situations where different classes of user should be limited in different ways. For example, developers working on a site should only be able to see the section they are responsible for, whereas the sysadmins and supervisors need to have a wider view on the server. This can be acomplished either by setting the $HOME of each user to the location on the disk which is most appropriate, or more commonly by using system groups.
I know that you could send (and jail) user to a particular directory base on their GroupID by using the DefaultRoot Directive Ie. DefaultRoot ~ webusers Can you have more than one DefaultRoot define within the same domain, so user from Group - webusers will default (jail) to their own home directory, and another Group - fpusers will default to an empty directory (ie /home/blank)
I am trying to get a group of users with the same gid and seperate Unix accounts to have the same chroot'd directory. I have tried several methods and even get it to work with an <anon> block with a Group and several UserAlias directives but they all then use the primary User password and I want seperate passwords. Ideally what I need is: <Group unixgrp> DefaultRoot /usr/local/home/ftp/unixgrp </Group> whereas this chroot would only apply to members of this group. Any suggestions on accomplishing this? Thanks. Kyle Tucker wrote: > Hi, > I am trying to get a group of users with > the same gid and seperate Unix accounts to have the > same chroot'd directory. I have tried several methods > and even get it to work with an <anon> block with a > Group and several UserAlias directives but they all > then use the primary User password and I want seperate > passwords. Ideally what I need is: > > <Group unixgrp> > DefaultRoot /usr/local/home/ftp/unixgrp > </Group> Much simplier: DefaultRoot /usr/local/home/ftp/unixgrp unixgrp see also: http://www.proftpd.net/docs/configuration.html#DefaultRoot > > > whereas this chroot would only apply to members of this > group. > > Any suggestions on accomplishing this? Thanks. >
It looks like for DefaultRoot ~ To work properly the account needs to have an entry in the main password file. Then it logs the person in their home directory. Otherwise a line has to be in the config like... DefaultRoot /home/parent parent DefaultRoot /home/parent/child child To defaultroot the person to the proper directory if they are in a separate password file. It would be nice if proftpd could take the directory from the separate password file and default root them with that directory.
So to answer, perhaps..... If a separate password file is defined in the configuration and if "DefaultRoot ~" is set it should base the chroot off the users directory in that separate password file. Right now it doesn't look like it uses it for that. Unless I have just done something wrong and why I asked. My thought is why fuss with the actual config and not use what's set in the password file? That would allow for a dynamic config that chroot's with separate password files right?
When set to true, the chroot base directory becomes a subdirectory of the anonymous ftp directory, based on the username of the current user. For example, assuming user "foo" is aliased to "ftp", logging in as "foo" causes proftpd to run as real user ftp, but to chroot into ~ftp/foo instead of just ~ftp. This works as advertised; if I set my anon block like so: <Anonymous ~ftp> User ftp UserAlias source ftp UserDirRoot on ...