Brian's picture

The ISSUE WITH TURNKEY FILSERVER IS, WHEN I LOG WITH "Prueba2" (User test) With SSH in port 22 with "BITVISE SFTP" (Search on google), I CAN SEE THE FILES OF OTHERS USERS, AND CAN DOWNLOAD IT!!!! (SEE SE IMAGE ATTACHED HERE).

for example if i log with "prueba2" I can see the files for others usser (if you delete the path in "home/prueba2" and change for "/home/" you can see the files) , but root "Permision is denied"

How I can set for each user Permision denied for all other folders of that user (Only set navigate for own folders and subfolders for "pruebaw2)????

 

Thanks a lot!

BRian

Forum: 
Jeremy Davis's picture

In the TKL fileserver (or any Linux OS using Samba for filesharing) you have two different user account systems: The Linux user accounts and the Samba user accounts. These user accounts are linked/synced but at a system level they are actually separate user accounts and act differently (this is because Linux user accounts and Windows user accounts are not totally compatible - some info is duplicated but much is unique to the OS).

Assuming Samba permissions are configured correctly, when you log in via Samba/Windows fileshares (e.g. map the UNC path to a network drive on a Win PC) then they will act as you would expect i.e. the user is locked into their files and have access to no others (in their home folder anyway...)

By default Linux users will be able to read the whole filesystem... However it should be relatively easy to stop them from browsing others' /home directories, but not so easy to stop them from browsing the rest of the filesystem. If you want them 'locked' in their /home/username directory then you will need to 'chroot jail' them (get your google on!). If the appliance doesn''t already use/include a vanilla FTP server (as opposed to SFTP which is provided via the OpenSSH package) then that actually may be a better route. If you don't want to use plain FTP (which I would avoid if possible due to it's insecurities) then packages like vsFTPd provide FTPS (FTP over SSL - so secure connection but not via SSH).

Add new comment