Resolved FTP: avoid vhosts list

[visualcons]

Hello,
inside the vhosts folder (root:root) there is a list of all the domains, and each has its permissions (eg ftp_usersaserv).

FTP users are entered with "bin/bash", and therefore can connect via SFTP, with Filezilla for example, directly entering their directory /var/www/vhosts/domain.ext

The problem is that they can also go back and see all the other vhosts folders (even if they can't enter).

How can I get them stuck in their directory?

 

[Monty]

Try this: SFTP does not restrict user to the subscription's directory

 

[visualcons]

I've tried this solutions, but nothing.
I think the problem is in the first step.
Command echo -n 'SFTP restrictions '; [[ -e /httpdocs ]] && echo 'active' || echo 'inactive'
returns:
SFTP restrictions inactive

It should be SFTP restrictions active

I'm on Ubuntu 18.04, default installation with Plesk.

Command grep sftp /etc/ssh/sshd_config | grep -v '^#'
now returns:
Subsystem sftp /usr/lib/openssh/sftp-server

 

[Monty]

Did you reload sshd?
And did you make sure the following is set:

• /bin/bash (chrooted) is selected as a shell in the Domains > example.com > Access to the server over SSH
  

 

[visualcons]

Yes, I've reloaded sshd (service sshd reload).

If I select /bin/bash (chrooted) insteasd of /bin/bash, the user's default folder becomes the server root (/) and so he can go
anywhere

 

[Monty]

Well, that's exactly the idea behind chroot. You want to keep the user inside of his homedir (/var/www/vhosts/example.com).
Why should your user have access to anything outside of his homedir?

 

[visualcons]

Exactly, I don't want this behavior.
But if I set /bin/bash (chrooted) automatically the user's ftp_customer : psaserv folder becomes "/" and so he can view bin, boot, dev, etc, ...

If I leave bin/bash, the folder is correct but he can go up and see the contents of vhosts (only see, not go into other domains folders).

Users have obviously been created in Plesk along with the creation of the subscription.

 

[Monty]

I still don't fully understand what you want to achieve.
If you use /bin/bash (chrooted) then you will see the folders of the chroot environment such as bin, dev, etc, usr, var etc.
But those are not the system folders /bin, /etc and such. The chroot folders only contain the files that are necessary to operate the chroot shell but the customer will be restricted to his homedir and won't be able to see and access anything outside of it.
So this is the correct behaviour. You should never give your users a non-chrooted shell.

 

[visualcons]

Ok, it works, I kept restarting ssh instead of sshd. Thank you!

Can access be further restricted to httpdocs to prevent the customer from deleting them?

 

[Monty]

You could make the httpdocs directory immutable using chattr +i httpdocs

 

[visualcons]

Thank you so much Monty

 

[Monty]

One last thing: Using the immutable bit on httpdocs might cause some issues with Plesk, I don't know. I don't use that method so I can't tell you what the impact is.

So don't blame me in case something else breaks

 

[visualcons]

Ok, thanks again