| All Forums |
Register |
Login |
Search |
Subscriptions |
My Profile |
Inbox |
| Tool Warehouse |
FAQs |
Resources |
Help |
Member List |
Address Book |
Logout |
|
|
limiting a user to ftp only and only in $HOME
|
Logged in as: Guest |
| Users viewing this topic: none |
|
Login  |
|
|
 limiting a user to ftp only and only in $HOME - Apr. 10, '06, 6:37:22 PM
|
|
|
Keehan_Mallon
Posts: 32
Joined: Jan. 23, '04,
Status: offline
|
I have a user that I would like to allow to upload files to my SFU 3.5 (windows 2000) machine. I don not want to give this user access to shell or any other directories other than $HOME. I have not seen any way to do this with the stock ftpd that comes with SFU. Is this possible or do I need to use another ftpd?
Cheers,
Keehan
|
|
|
|
|
RE: limiting a user to ftp only and only in $HOME - Apr. 10, '06, 7:09:27 PM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
You can change the user's default shell to be something like /bin/noshell
which would be a simple binary (e,g, "exit(0)"). That would end shell access.
Remember to add this to /etc/shells.
Now go read the ftpd man page. In particular read the bit about authentication
rules #4:
4. If the user name appears in the file /etc/ftpchroot, the ses-
sion's root will be changed to the user's login directory by
chroot(2) as for an ``anonymous'' or ``ftp'' account (see next
item). However, the user must still supply a password. This
feature is intended as a compromise between a fully anonymous
account and a fully privileged account. The account should
also be set up as for an anonymous account.
Remember that with a chroot'd environment if the user want to ls then
you'll have to make a "/bin for the environment with ls.
|
|
|
|
|
RE: limiting a user to ftp only and only in $HOME - Apr. 11, '06, 3:04:10 PM
|
|
|
Keehan_Mallon
Posts: 32
Joined: Jan. 23, '04,
Status: offline
|
Rodney,
I looked in ftpd before but didn't see that section. Here is an excerpt from the ftpd man I have where I think you are referring. Not I have no authentication rules 3) or 4):
The ftpd(1) utility authenticates users according to these rules:
1. The logon name must be in the password data base, and not have a
null password. In this case a password must be provided by the
client before any file operations can be performed.
2. The logon name must not appear in the file /etc/ftpusers.
ANONYMOUS FTP
On many systems (but not Interix), there is a provision for "anonymous
ftp"--if the logon names "anonymous" or "ftp" match an account on the
system, the user can log on with any password. On these systems, ftpd(1)
performs a chroot(2) system call and takes other measures to preserve
security.
On Interix versions before 2.5, there is no anonymous ftp-- the user
names "anonymous" and "ftp" have no special meaning. Because Interix
provides no chroot(3) system call, anonymous ftp sessions are insecure and
dangerous.
Am I missing parts of the man page? I have updated some utilities via pkg, but ftpd should still be part of base.
Also for /bin/noshell, can this just be a simple script?
#!/bin/ksh
exit
or is there something more I need to do. You mentioned making a small binary? Via gcc?
Thanks again,
Keehan
|
|
|
|
|
RE: limiting a user to ftp only and only in $HOME - Apr. 11, '06, 3:23:08 PM
|
|
|
Keehan_Mallon
Posts: 32
Joined: Jan. 23, '04,
Status: offline
|
I have tried with a shell "nosh". I added /bin/nosh to/etc/shells. I wrote nosh as:
#!/bin/ksh
exit
I then login as the user I want to limit and issue/get:
hostname:/bin$ chsh -v /bin/nosh
chsh: executing '/usr/contrib/win32/bin/net USER username /USERCOMMENT:"/bin/nosh" '
System error 5 has occurred.
Access is denied.
chsh: /usr/contrib/win32/bin/net USER username /USERCOMMENT:"/bin/nosh"
It looks like this is not specific to my nosh:
hostname:/bin$ chsh -v /bin/ksh
chsh: executing '/usr/contrib/win32/bin/net USER username /USERCOMMENT:"/bin/ksh" '
System error 5 has occurred.
Access is denied.
chsh: /usr/contrib/win32/bin/net USER username /USERCOMMENT:"/bin/ksh"
Any ideas?
|
|
|
|
|
RE: limiting a user to ftp only and only in $HOME - Apr. 11, '06, 3:38:41 PM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
The ftpd binary will be the same as what shipped -- there's no /Tools update for it.
Odd that your man page is missing parts. But the key part is what I quoted.
Add the username into /etc/ftpchroot. I'd add the shortname and the FQUN
("user" and "MACHINE+user") for good measure.
For complete security /bin/noshell should be a binary, not a script.
Yes, the easiest way is to use gcc to compile it. So the code will
just be in a file "noshell.c":
int main(void)
{ exit(0); }
Then "gcc -o noshell noshell.c" and then "cp noshell /bin".
Edit /etc/shells and add /bin/noshell to the list so it will be "legal".
As to the chsh error message. It means the user doesn't have enough permissions
to change their own shell. You can do it as Administrator from the command line using
the Win32 NET USER command:
NET USER <username> /USERCOMMENT:"/bin/noshell"
|
|
|
|
|
RE: limiting a user to ftp only and only in $HOME - Apr. 11, '06, 3:48:40 PM
|
|
|
woehlkmp
Posts: 102
Status: offline
|
This is a little off-topic, but isn't it traditional to use /bin/true or /bin/false for a bogus shell? That gives the same result without having to build anything...
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
|
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
|
Printable Version
