From owner-freebsd-security Mon Mar 5 18:24:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from turtle.looksharp.net (cc360882-a.strhg1.mi.home.com [24.2.221.22]) by hub.freebsd.org (Postfix) with ESMTP id 8980437B718 for ; Mon, 5 Mar 2001 18:24:38 -0800 (PST) (envelope-from bsdx@looksharp.net) Received: from localhost (bsdx@localhost) by turtle.looksharp.net (8.11.1/8.11.1) with ESMTP id f262R4J15181; Mon, 5 Mar 2001 21:27:05 -0500 (EST) (envelope-from bsdx@looksharp.net) Date: Mon, 5 Mar 2001 21:27:04 -0500 (EST) From: Adam To: "Riley J. McIntire" Cc: "Aaron D.Gifford" , Subject: RE: ftp access In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 1 Mar 2001, Riley J. McIntire wrote: >> -----Original Message----- >> From: owner-freebsd-security@FreeBSD.ORG >> [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Aaron D.Gifford >> Sent: Thursday, March 01, 2001 9:02 AM >> To: freebsd-security@FreeBSD.ORG >> Subject: RE: ftp access > >> >> I would caution folks from putting /sbin/nologin into /etc/shells >> in order to >> create FTP-only accounts. I would instead suggest you create a link to >> /sbin/nologin and call it something like /sbin/ftponly and put >> THAT shell in >> your /etc/shells file and use it as the shell for your FTP-only users. > >Would this be a problem? > >root@aji# lls /sbin/ftp_only >-rwxr-xr-x 1 root wheel - 48 Mar 1 13:23 /sbin/ftp_only* > >root@aji# cat /sbin/ftp_only >echo This account is for ftp only >ftp localhost >root@aji# grep ftp_only /etc > >root@aji# grep ftp /etc/shells >/sbin/ftp_only > >Then a telnet would show the motd and: > >This account is for ftp only >Connected to localhost. >220 aji.wilshire.net FTP server (Version 6.00LS) ready. >Name (localhost:username): What happens if they have a valid ftp account, login, and run !sh ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message