Hi Joe,
Just hade an issue with a customer who did log in to his server with FTP(SFTP/SSH) and he notified us that he hade access to the whole server(root) when logging in with his domain account and password.
To check this I tried some other domain owner usernames and password with the same result. I tried with WS_FTP Pro and puTTY and hade access to several folders on other user accounts/domains, and allso folders and files on the server.
Should a customer really have access to other folders than his domain folder. He should NOT be able to go backwards and gain access to root or home/ and all other customer accounts. I logged in to a customer account using his username and pwd with WS_FTP pro clicked "folder up" and could see all other customers and I allso clicked my way in to my own user in our domain, from there I could download my sent mail !!! from one of our customer account logins. I think that a customer shouldn't even see other folders than in his account.
I actually don't know if it's been like this all the time, but my main concern and question is HOW do I lock users to their own account. I don't know if I have missed something in some config, and as far as I know I have't reduced any permissions or security settings. ProFTPd is normally not running on the server, but I started it up and tried the same thing with WS_FTP using regular FTP, now the customer is locked to his account.
I tell our customers to use FTP over SSH(SFTP) and not regular FTP because our server don't run FTP due to security reasons... hmmm....
Regards,
Leif