How to Jail certain users in ProFTPD on Unix (Mac OSX)

Question

I have ProFTPD set up so that I can remotely upload new php files and suchlike to my htdocs on my server. That's all fine, but I would like to jail the 'nobody' (No write, Read/Download only) user into a subdirectory (htdocs/ftp) so that any users can't have fun reading my mySQL connection scripts, which are in the htdocs folder. I don't want to set the DefaultRoot to /ftp, as then I can't use FTP to modify the site, unless there is then a way to allow me back up a level. (For the sake of it, let's call me admin)

It's not a production environment, more an intranet, but hey, i don't want it to be insecure like that.

score 1 · Answer 1 · answered May 09 '12 at 17:46

Thanks for the help - that's worked well for me. As a note, I also used:

<Directory /www/htdocs>
    <Limit READ RMD DELE MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
        AllowUser X
        DenyAll
        </Limit>
</Directory>

Which basically stopped (I think) everything from happening in my protected directory.

score 0 · Accepted Answer · answered May 07 '12 at 23:48

The second argument to the DefaultRoot config option is a list of groups. Put the set of users you want to be able to "modify the site" in one group, then set that group's DefaultRoot to / (or whatever), then have another, default DefaultRoot pointed to /ftp. Or you could do the inverse. Whatever makes the most sense for you.

How to Jail certain users in ProFTPD on Unix (Mac OSX)

2 Answers2