From owner-freebsd-security  Wed Feb 28 11:29:25 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cithaeron.argolis.org (bgm-24-94-35-22.stny.rr.com [24.94.35.22])
	by hub.freebsd.org (Postfix) with ESMTP id CAC4537B71B
	for <freebsd-security@FreeBSD.ORG>; Wed, 28 Feb 2001 11:29:22 -0800 (PST)
	(envelope-from piechota@argolis.org)
Received: from localhost (piechota@localhost)
	by cithaeron.argolis.org (8.11.2/8.11.2) with ESMTP id f1SJT7r00579;
	Wed, 28 Feb 2001 14:29:08 -0500 (EST)
	(envelope-from piechota@argolis.org)
X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs
Date: Wed, 28 Feb 2001 14:29:07 -0500 (EST)
From: Matt Piechota <piechota@argolis.org>
To: Rob Simmons <rsimmons@wlcg.com>
Cc: <George.Giles@mcmail.vanderbilt.edu>,
	<freebsd-security@FreeBSD.ORG>
Subject: Re: ftp access
In-Reply-To: <Pine.BSF.4.33.0102271738250.82118-100000@mail.wlcg.com>
Message-ID: <Pine.BSF.4.31.0102281426470.457-100000@cithaeron.argolis.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 27 Feb 2001, Rob Simmons wrote:

> /sbin/nologin as the user's shell.  You also have to add this shell to
> /etc/shells

I though the idea of nologin was to deny access.  Wouldn't you want to
copy nologin to /sbin/ftponly (or something) and put that in /etc/shells?
That way you have 3 step: telnet+ftp (tcsh, bash, etc), ftp only
(/sbin/ftponly), and no access (/sbin/nologin).

-- 
Matt Piechota
Finger piechota@emailempire.com for PGP key
AOL IM: cithaeron


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message