KpyM Telnet/SSH Server - Forum
_Limiting access to a specific volume and folder
Greg _Limiting access to a specific volume and folder
 
We have set up a specific folder for SFTP file transfers. Following security best practice (never expose your operating system volume to the Internet), a D: drive was added to the Windows Server. A folder called \SFTP was created in the root. In the setup options for the SSH server, the sftp_root was set to D:\SFTP.

When connecting with WinSCP or pscp (makers of PuTTY), the SSH server doesn't "see" anything in the "root" which should actually be the D:\SFTP folder. There are several folders and the user has access to view the folders.

With WinSCP, I can use the "Open Directory/Bookmark" dialog and point it to C:\ or D:\ and it returns a FULL DIRECTORY LISTING of those folders.

With pscp, when I connect to the "root", it displays C$ and D$, but I cannot get it to any files/folders under D:\SFTP.

Very concerned that the SSH server is "offering" folders I never intended or expected to be "viewable" from the "outside" (which happens to be the Internet).

Any suggestions on what I am doing wrong??


Kroum Grigorov
 
Have a look at these posts on how to restrict your users to a folder

l0c41://www.kpym.com/phpbb/viewtopic.php?t=208
l0c41://www.kpym.com/phpbb/viewtopic.php?t=415
l0c41://www.kpym.com/phpbb/viewtopic.php?t=226

Kroum


Greg
 
I can't change the permissions of my C: drive (operating system). Why is the SSH server displaying the contents of the C: drive when the sftp_root variable is pointing to D:\SFTP?? Why can I "break out" of the root? Why does it "advertise" the C$ and D$ "shares"... They really aren't even "shares" because the server service isn't even running on my server.


Greg
 
To re-create using pscp (available from PuTTY: l0c41://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)

pscp -v -pw XXX -ls id@address:/C$

were XXX is the ID's password
id is an account on the SSH server
address is the ipaddress of the SSH server

If you try this, do you "see" a directory listing of your C: drive?


Greg
 
Filezilla is behaving the same way, displaying the contents of my C: drive...


Kroum Grigorov
 
Just to clear this out.
KTS does not imply any security restrictions on the running sessions itself.
It just starts the session under the user credentials and leaves the OS itself to take care for user security restrictions, the same OS does for any other process runing under the given account.

Kroum


Greg
 
(Still trying to figure this one out...) My SFTP account is a member of only 2 local groups: Guests and (one I created called) SFTP_Users. When I log in on the server and run GPRESULTS, it displays that the account is a member of BUILTIN\Guests and BUILTIN\Users. Why it grants user access when the account is not a member of that group makes no sense. Based on this finding...

Most accounts will be granted "User" access, and will be able to see nearly every folder on the SSH server, including "Program Files" and "Windows". Windows has to allow "users" to see much more than I am comfortable exposing on a public facing SSH server. WOW! YIKES!


 

© 2007 - 2008 Kroum Grigorov
Powered by phpBB © 2001, 2005 phpBB Group