Hi All, Hopefully this is the correct place to post this! I Have followed the tutorial for setting up ISPConfig on an Ubuntu 18.04 server sing nginx - so far so good all working well except the emails. After a browse through on here i found someone suggesting to run the update for ISPConfig which i did and it resolved the email issue perfectly. However, I have noticed that any new client I add (and now found the existing ones) all seem to have additional folders when they access via ftp (this is via ftp and not ssh) Folders like: bin, dev, etc, home, lib, lib64, run are now available in addition to the normal log, private, web folders I went to the /var/www/clients/client1/web1 folder and all these folders are showing in there so I guess they have been linked there somehow? I'm not too sure how to get this resolved and to get the folders limited to what they used to be? I would thing its some sort of configuration somewhere but no idea where. Is it to do with Jailkit? System: Ubuntu 18.04 ISPConfig version: 3.2.1 Very many thanks in advance
This is normal when jailkit is enabled. In those folders only the files relevant for them can be found - try it out with a test user
Hi thanks for the reply, doesn't seem too safe to me, I've setup a new test user and it has access to all sorts even some things in the etc folder like the hosts and passwd file. See images below I can't see that being right somehow?
I can download and open all of them with my test account and the existing accounts. I don't seem to be able to edit or replace them though. Is there a way to remove them or hide them from the ftp user? I have never logged into a hosting provider and had access to any files like these before.
It's actually the opposite, having these files and folders on website level shows that you are in a jail, which means your web environment is separated from other websites and the server root. What you see there are not the files of the server root, these are files of your own website, so e.g. the passwd file is not the server passwd file, its just a file specific to your site.
Hi, I can see the folders are separate as I cannot go up further levels into the filesystem. I will have to open a few and compare them to see what they actually contain compared to the main system. Is this the way ISPConfig actually sets up the jailkit? If it is then is there an easy way to adjust what is available in this folder? I would like as little as possible exposed really. For example most other hosting providers show the bare minimum like the below: Can ISPConfig be setup to do this?
Yes. Any Linux jail must contain these folders as programs in a jail won't work without them. Of course, what you find there is a commonly used standard setup of applications, you can configure the jail setup under system > server config in ISPConfig. Sure, you can setup ispconfig in such a insecure way as well. No professional admin would do that as you give your users access to the whole filesystem then. But if security does not matter for you, then just disable jails so users can wander around the whole filesystem.
Hi thanks for the replies this has to be the most active forum I've seen in ages! I shall have a look in the server config and see if I can limit what the ftp user gets shown. They only need logfiles and the public html folder. They don't need any of the etc, lib folders in ftp at all they serve no purpose there. Security is very important to me, i think you misunderstood. I don't want it setup insecure that's the point, I want it more secure than what its currently doing. As I see it, access to all these extra files is not needed on ftp you cannot execute them and don't have write permission for them so why ISPConfig shows them to the ftp user is unknown to me. I want it more secure. I just want the basic couple of folders available to every ftp user.
So I've had a play with the jailkit settings in the sever config. If it helps anyone else I have changed the "Jailkit chroot app sections" From having: "basicshell editors extendedshell netutils ssh sftp scp groups jk_lsh" To just these: "ssh sftp groups jk_lsh" Which leaves me with a much more secure looking ftp directory as shown below: I clearly need some more time with the configuration of ISPConfig but may help someone else out. Thank you for your time this evening much appreciated.
Would it work for you if you do not create shell account for website, only FTP user? Then I believe jailkit is not active and those extra directories are not created.
Hi , There is no option to create a shell user (in the ftp accounts section) as far as I know a shell user is a different option and I haven't created any at all. I literally just selected "Sites" then "FTP Accounts" then "Add new FTP User". The form doesn't have an option for creating a shell user. There is a Separate section to create a "Shell User" instead of "FTP Account" but I didn't create any shell users.
Your screenshot shows no jailkit files installed at all, it has nothing to do with changing the chroot app sections. As indicated above, jailkit is created as needed, be it a chroot shell user, chroot cron or running php-fpm in chroot mode; there is a checkbox in website options tab to delete the jailkit directories if it is not in use, if you want existing sites cleaned up (generally a good idea).
