This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.
Is it possible to restrict user to access other directories in server, like FTP directory restriction? Currently user can access what ever they want and even copy other users scripts, if they want.
And even if you could, the problem there is the permissions, not SSH... if the permissions on your users' scripts allow others to see them when they shouldn't -- even if you completely disable SSH access, someone could just use a web-based file browser to read the scripts that aren't theres.
So, the key is to find a way to secure the file permissions such that only users with appropriate permissions can read them :-)
I use Ubuntu 8.04.3 LTS, which I find is reliable and easy to use distro. I'm not very good with UNIX permissions yet. The problem is, I'v created 2 virtual servers and used SSH to "explore" the directories. I could read the data in every single home directory. Se basically anyone can read other user scripts via SSH, which is big exploit for client, because scripts can be copied like this, I haven't tested whole thig very accurately.
If you want to set a default that's different than what your distro offers, you can set that up in Webmin -> System -> Users and Groups -> Module Config, and you can set the Home Directory Permissions on there.
If you haven't already, I'd recommend setting up suexec in Apache first. That happens in Virtualmin Pro by default, and if you're using the GPL version, details on setting up suexec are here:
There's no good/simple way to do that.
And even if you could, the problem there is the permissions, not SSH... if the permissions on your users' scripts allow others to see them when they shouldn't -- even if you completely disable SSH access, someone could just use a web-based file browser to read the scripts that aren't theres.
So, the key is to find a way to secure the file permissions such that only users with appropriate permissions can read them :-)
-Eric
Ok, then Virtualmin by default isn't very secure (permission point of view), if SSH is enabled?
Maybe you should explain the specific problem you're having in more detail :-)
Virtualmin simply adds users, and the permissions used in doing so are the default of your distro.
Normally, two different users don't have permissions to view each others files unless something along the way is changed.
If that's not what you're seeing, perhaps you can describe your setup in more detail.
-Eric
I use Ubuntu 8.04.3 LTS, which I find is reliable and easy to use distro. I'm not very good with UNIX permissions yet. The problem is, I'v created 2 virtual servers and used SSH to "explore" the directories. I could read the data in every single home directory. Se basically anyone can read other user scripts via SSH, which is big exploit for client, because scripts can be copied like this, I haven't tested whole thig very accurately.
Howdy,
After some poking around, I found a report in the Ubuntu bug tracker stating that the behavior you're seeing is an intentional Ubuntu default:
https://bugs.launchpad.net/ubuntu/+bug/136743
If you want to set a default that's different than what your distro offers, you can set that up in Webmin -> System -> Users and Groups -> Module Config, and you can set the Home Directory Permissions on there.
If you haven't already, I'd recommend setting up suexec in Apache first. That happens in Virtualmin Pro by default, and if you're using the GPL version, details on setting up suexec are here:
https://www.virtualmin.com/node/8462
Thank you alot, I didn't know that particullar bug. You have been very helpful Eric, thats really nice support!
I have set the permissions to 750, and now directories are not accessible for everyone. :)
I have set the permissions to 750, and now directories are not accessible for everyone. :)
Hmm, right, I thought that's what you asked for :-)
What exactly is the problem you're having, and how do you want it to work?
And if you didn't setup the suexec settings I had mentioned above, that would prevent Apache from being able to read your public_html dirs.
-Eric
I'm working on the suEXEC thing, just wanted to let everyone know, what was the solution.