Virtual Server FTP Users get root access when using SFTP


I have just found that any Virtual Server FTP User can if they use SFTP access all folders including the root folder.

Can you tell me how I can stop this?



Using SFTP, any user would be able to go to any directory or view any file that has world read permissions. There's no way to restrict them to a particular directory, the way FTP works.

In the above case -- they're only viewing files that they already have rights to... and they could do the same thing were they to open up a web-based file browser. Using that, they could browse the same files/dirs on the server.

Normally, the permissions are secure by default, but the thing to do is just to make sure that things they shouldn't have access to aren't world readable.

If you're not comfortable with that, you're probably best off disabling SFTP access -- though do remember that the users can get at all those files using any web-based file browser :-)

I am not sure I explained correctly, they can access all folders on the server including /etc, /lib etc.

It is as thought they have logged in a the root user

Nope, I understand... both /etc and /lib are world readable directories :-)

All users on the system both have and require permissions to those dirs.

The FTP daemon has a mechanism for locking a user into their dir during file transfers. However, outside of FTP, the user really does have permissions to access those other directories.

So, what you're seeing is simply how Linux and UNIX servers are setup :-)