out of curiosity I tried an SFTP connection via filezilla from the windows client. Using the user configured, It worked and allowed me to browse all the directories. I mean ALL the directories and download / upload to anywhere on server.
This concerned me more than a little
What user?
Can you provide some examples? I’d like to reproduce this behavior!
Okay clean install again, I made a transcript of all my actions. I still cannot connect to a simple share. BUT using filezilla sftp the a created user can access everything.
Linux is not my strength so do tell me if I’ve done something really stupid!
Here is what I did:
Installed CentOS 7
yum update
reboot
yum localinstall -y http://mirror.nethserver.org/nethserver/nethserver-release-7.rpm
nethserver-install (IP addess was empty https://:980)
reboot
yum group install "GNOME Desktop"
startx
login to web interface
configured NIC2 as internal green static IP 192.168.2.4
re-configured NIC1 as internet red DHCP
DHCP module enable DHCP on NIC2
software center - add domain control: samba
domain control - enter IP 192.168.2.3 and clicked bridged - start DC
prompted to enable admin account - gave admin user password
created new group "mygroup"
created another user "ryan" and added to mygroup
software center - fileserver - add
shared folders - create new share "test" mygroup as owning group - read write permission
on a windows pc changed workgroup to "SERVER" - reboot
navigate to network - lacloue folder visible "test" - try to gain access - enter user "ryan@server.local" denied.
I then tried Filezilla sftp connection
I then proceeded to browser to and download a file:
Which as you can see was a success! and very concerning
On NethServer (CentOS) and also a lot of *nix systems a user can access a lot of directories, but sensible files cannot be read. I guess also Windows systems do the same…
For instance
/etc/shadow
Or other user’s home directory.
/home/somebody
Only some dirs have write access.
In the past we discussed a chroot setup for SFTP. Please search this forum for it!
that makes sense, I will look into it.