FTP Accounts - Using symlinks and bind mounts to control folder access - Best practices? Use fstab?

pkiff

• April 28, 2014 12:42

I would like to create an FTP account that allows a user to access two sub-folders, one within the public_html folder, and the other outside of it, like this: /home/[cPanel-account]/public_html/subfolder-1 /home/[cPanel-account]/not_public/subfolder-2 I found these instructions: /http://www.ducea.com/2006/07/27/allowing-ftp-access-to-files-outside-the-home-directory-chroot/ Allowing FTP access to files outside the home directory chroot - MDLog:/sysadmin So I've created matching subfolders within the FTP user's assigned FTP folder, so the folder structure the FTP user sees is something like this: /home/[cPanel-account]/ftp_user/[FTP-user-account]/subfolder-1 /home/[cPanel-account]/ftp_user/[FTP-user-account]/subfolder-2 And I've used the MOUNT command to create mount points that point from .../public_html/subfolder-1 to .../[FTP-user-account]/subfolder-1 and from .../public_html/subfolder-2 to .../[FTP-user-account]/subfolder-2. And this seems to work the way I want. But, these mount points currently need to be recreated whenever the server is rebooted. I understand that I need to edit ~/etc/fstab if I want these mount points to be permanent. Before fiddling with the fstab file, I'm looking for advice on whether there is a better way to do this. Also, I wonder if this opens up unnecessary security holes. Lastly, I think I need some tips on managing the fstab file. I see that cPanel currently has several other files related to fstab (fstab,v and fstab.quotas) and these look like they are generated automatically. Do I need to touch these if I want my Mounts to be permanent and survive reboots? My environment: VPS running within a XEN platform CentOS 6.x WHM 11.4x

• 

  cPanelMichael

  • April 29, 2014 13:33

  Re: FTP Accounts - Using symlinks and bind mounts to control folder access - Best practices? Use fst Hello :) The 'virtual chroot' feature of Pure-FTPd is now disabled by default. Thus, chroot becomes "/" for symlinks. For example, a symlink to /etc, will now point to /home/$username/public_html/ftpuser/etc. One alternative to symbolic links is to use bind mounts, which is what the URL you referenced is explaining. Note the files you referenced are not managed by cPanel, and are OS files. You may need to check with your VPS provider or it's software documentation to determine how to ensure those mounts are preserved. Thank you.

  0
• 

  pkiff

  • April 29, 2014 16:15

  Re: FTP Accounts - Using symlinks and bind mounts to control folder access - Best practices? Use fst OK. So I gather that you don't have another suggestion for how to do this, and there is no way to do configure an FTP account this way (i.e. with access to two subfolders, one within public_html and the other above it) using just the cPanel interface. Fair enough. For other users who happen upon this thread looking for a solution to this problem, I'll note that the "fstab,v" and "fstab.quotas" are backup files or leftover detritus that can be safely ignored when editing the fstab file itself. Also, it seems possible that in some cPanel configurations, when you use bind mounts this way, some non-root cPanel users may be able to discover that such bind mounted folders exist in certain system displays - though they would/should not be able to actually view the contents of any of them. I remain unclear on whether there are additional security issues associated with this solution, and am not quite sure if such mounted folders are in fact visible to non-root users.

  0
• 

  pkiff

  • September 01, 2014 03:16

  Re: FTP Accounts - Using symlinks and bind mounts to control folder access - Best practices? Use fst Just a quick follow-up to this, in case other people find this thread via search and try to use this method. In a default configuration, WHM will create new accounts not only in the default /home folder, but also in ANY folder that includes the word home. If it finds more than one folder with the word home in it, then it will use the one with the most space available. I have discovered that WHM treats these bind mounts as though they are potential home directories, and therefore you may end up with new accounts being created inside them. This may also lead to some weirdness when backup or other files are saved to "home" account folders. The basic problem is that because these bind mounts include "home" in their path, then they are mistakenly treated as separate home folders. See this thread for another example (not caused by bind mounts): New accounts are created in wrong directory Basic cPanel & WHM Setup area.

  0

Please sign in to leave a comment.