sftp support with InstantSSH plugin

  • Hello all,


    distribution: Ubuntu 16.04.2
    i-MSCP 1.3.16 with latest InstantSSH plugin v5.0.1


    we have InstantSSH plugin running on one server, and users can be created and i can login with defined password to their home directory.


    My problem is
    - that users do not get chrooted via sftp and i dont know the reason why that is not working.
    - and that user1 on client1 can read files from user2 on client1.


    i do get the imscp banner displayed after an ssh login.


    1) [email protected]:~# more /etc/ssh/sshd_config |grep sftp
    Subsystem sftp /usr/lib/openssh/sftp-server


    2) in imscp admin interface i did check the option "restricted access" as a reseller for the client.
    But still i have:
    Remote working directory: /home/imscp_sftp01
    instead /


    3) we use the default gui/plugins/InstantSSH/config.php file with
    'app_sections' => array(
    'bashshell',
    'netutils',
    'dnsutils',
    'editors'
    ),


    Is there a setting somewhere to enable more strict permission checks / chroot feature or should i play around with chmod only?


    thanks
    MSU

  • My problem is
    - that users do not get chrooted via sftp and i dont know the reason why that is not working.

    Are you sure of what you're talking about or it is just an assumption...


    Please connect as the (normally restricted) user and do a ls -la / and post the result here.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • yes, look here:



    same with:
    sftp [email protected]

  • There is no bug here. Your user is chrooted as expected. That is the expected behavior (shared chroot). However, a client A cannot access files of a client B due to permissions in effect:


    For instance, client imscp_ref_neu cannot access files of imscp_ref_web (permissions 0750). So, please, don't make any assumption. If you had read the plugin configuration file correctly, you would have seen the following sentences:


    The most important part is: A shared jail doesn't means that the customers will be able to read, modify or delete files of other customers. This simply means that the jail will be shared between the customers.


    BTW: Next time, use bbcode else your thread/post will be deleted.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • ok, i see, i did not correctly see how to identify if user was chrooted or not.
    i understand that due to permissions clientA cannot access clientB files, due to chmod permissions set.
    But what if you have two users on same domain?


    One question is left unanswered from my post - can you highlight here what to do please?
    imscp_sftp01 was created on same client domain, as imscp_sftp02.
    Is it possible to prohibit that user imscp_sftp01 can write in folder of imscp_sftp02? Both belong to same client domain, but are different sftp accounts. As seen from file list they have same uid and gid.


    Code
    1. drwxr-xr-x 6 vu2004 vu2004 4096 Jul 3 10:24 .
    2. drwxr-xr-x 14 root root 4096 Jul 3 10:24 ..
    3. drwxr-x--- 2 vu2005 vu2005 4096 Jul 3 10:24 imscp_ref_neu
    4. drwxr-x--- 2 vu2004 vu2004 4096 Jul 3 10:24 imscp_ref_web
    5. drwxr-x--- 2 vu2011 vu2011 4096 Jul 3 16:49 imscp_sftp01
    6. drwxr-x--- 2 vu2011 vu2011 4096 Jul 3 10:24 imscp_sftp02


    My Problem: As user imscp_sftp01 i could do a "mkdir /home/imscp_sftp02/test" and directory was created.
    Can it be prohibited?


    thank you
    MSU

  • But what if you have two users on same domain?

    Those two users user have identical uid/gid and that is expected. Any InstantSSH user created for one customer share the same uid/gid.


    Is it possible to prohibit that user imscp_sftp01 can write in folder of imscp_sftp02? Both belong to same client domain, but are different sftp accounts. As seen from file list they have same uid and gid.

    Yes, as stated above the unix users created from the same i-MSCP customer account share the same uid/gid. In fact, they share the uid/gid of the vuxxx Web user.


    What you're asking is not possible with current implementation. That sound like a request for new feature. The problem is that both users must stay able to write under the Web directory and that would not be possible if they didn't share the vuxxx user uid/gid, excepted if the group did have the write permissions which is not the case for security reasons due to the Web server user (www-data) that is also in the vuxxx group. Thus, we are fairly limited.


    As reminder, the purpose of the InstantSSH plugin was:

    • Protect the system from customer actions
    • Protect customers from each other

    The intend was not to protect users created from the same customer account, hence the current implementation. Implementing this feature would be fastidious.


    BTW: For the second time: Use bbocde. That is the last time I warn you :cursing:

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206