Date: Fri, 10 Jul 2009 10:30:08 -0400 From: Steve Bertrand <steve@ibctech.ca> To: RS Wood <rswood@therandymon.com> Cc: freebsdquestions <freebsd-questions@freebsd.org> Subject: Re: FTP Server for individual client spaces Message-ID: <4A575070.2050904@ibctech.ca> In-Reply-To: <1247235024.5167.1324439995@webmail.messagingengine.com> References: <1247235024.5167.1324439995@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms010400090000060002030803 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable RS Wood wrote: > I run a small engineering company* that exchanges large files (CAD, > etc.) with clients, and I want to keep the docs off my email server by > setting up a stand alone FTP server where each client can upload and > download its relevant files. As such, my own users/employees should be= > able to reach every client=E2=80=99s FTP space but each client should o= nly be > able to reach his own. As my users finish a doc, they place it in that= > client=E2=80=99s FTP directory and the client can log in and get it. A= s such, > I don=E2=80=99t want any form of unauthenticated FTP. >=20 > I=E2=80=99ve tried different combinations of group names and directory > permissions without success, but chrooting users doesn=E2=80=99t seem t= o solve > my problem either, and my two favorite BSD books =E2=80=93 Tiemann et. = al. > (Unleashed) and Lucas (Absolute) take the same approach the man pages > do, in my opinion, which guides you either into an all anonymous system= , > or a system suitable for organizations such as software distributors in= > which clients/users authenticate but then all access the same directory= > (/pub for example). I could use some help conceptualizing this. >=20 > Is the solution ftpchroot? =20 It works for us, for the users who still need FTP access: # cp /sbin/nologin /sbin/ftp-only # echo "/sbin/ftp-only" >> /etc/shells # adduser homedir =3D=3D /ftp/username shell =3D=3D /sbin/ftp-only I then: # cd /ftp/username # rm -r .* # echo "username" >> /etc/ftpchroot Now, you can create staff accounts in the same way, but set their home directory as /ftp. They'll be able to traverse the entire FTP tree from there. Just ensure that the /ftp directory structure is owned by a group that your staff accounts are in, and that all of the sub directories are modded with appropriate permissions. > If so, it=E2=80=99s not clear how I can chroot > each potential client into his own directory, as my understanding is > that all chrooted users wind up at the same place (like /var/ftp/pub). = > Or is the solution that each client gets access to his own home > directory;=20 Yes, each to their own home dir. > if so, how do I ensure my staff has access to each client=E2=80=99s > home directory? =20 I'm assuming that your staff will be using FTP as well. Simply assign their home directory to the root FTP directory. > Lastly, I=E2=80=99ve also been reading up on PureFTP, which > seems to have some advanced configuration potential (including LDAP > authentication, something else that interests me) but it=E2=80=99s not = clear > that using an alternative product is indicated here. > This seems like something other organizations must have dealt with, so = I > must be missing something fundamental. Can someone point me in the > right direction? >=20 > Finally, I=E2=80=99m aware FTP has inherent security liabilities as pas= swords > cross the net in clear text, but I=E2=80=99m not convinced casual users= on > Windows boxes will be able to manage fun stuff like SSH connections or > alternative software, like SCP. =20 Provide them a link to a client software that uses SFTP. I use WinSCP (portable), which defaults to SFTP, and provides the server, username and password fields as soon as it is launched. Hope I didn't miss anything ;) Steve --------------ms010400090000060002030803 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII/zCC AtowggJDoAMCAQICEEs5xg/J3t77QWJ4SatV1HcwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDUwNzIzMTYxMFoX DTEwMDUwNzIzMTYxMFowQjEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEfMB0G CSqGSIb3DQEJARYQc3RldmVAaWJjdGVjaC5jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAJSTRAjP1RVa87/mnZn+PBTbENgyhhBJ4rWApmaNcthzRdk2DB/49KrXx3EQP60w Lj4KU0DFkiGNVj9BnVxRAx/WDXKxGC3uGGEG6gjyWv8KFMWMsH9mL7y7uNow1HueT6pZUf9o yY8Ewd+01QpGi7FfXOae7lGHhbEwnEJGwz08ytRfLmH0KtEzlZanZZhwDGX5s1kIHnyxdACh 3byXY6Z2bOrx0rcrQHCnHJppxddR60F7igjaMuBFstE51h9XTgXDNKJbglqTug5ghGihNuP6 VsBN7ue62y96UGIE22TvKEcAQ665vQGjHqZeSzZYy+hWNOa27pWFmhlqFjx0x8MCAwEAAaMt MCswGwYDVR0RBBQwEoEQc3RldmVAaWJjdGVjaC5jYTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3 DQEBBQUAA4GBAMOmjxjp2Xzk6ZHLwTgFDzVhm98RjRT3UXotKjNIR7SgwfWF5wkJrx4I+dXu ui5ztMEq4bTTRgJ344MqE6uZiZlg+tBIFHZGCJfKdzsX4QuV2jmw0sR5dMaYxG6tlDB0YUMv gTqzV7ZDpiusTMOZe9pP1PdxFhOcIJXtMQDj5LhuMIIC2jCCAkOgAwIBAgIQSznGD8ne3vtB YnhJq1XUdzANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3Rl IENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIElzc3VpbmcgQ0EwHhcNMDkwNTA3MjMxNjEwWhcNMTAwNTA3MjMxNjEwWjBCMR8wHQYD VQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMR8wHQYJKoZIhvcNAQkBFhBzdGV2ZUBpYmN0 ZWNoLmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlJNECM/VFVrzv+admf48 FNsQ2DKGEEnitYCmZo1y2HNF2TYMH/j0qtfHcRA/rTAuPgpTQMWSIY1WP0GdXFEDH9YNcrEY Le4YYQbqCPJa/woUxYywf2YvvLu42jDUe55PqllR/2jJjwTB37TVCkaLsV9c5p7uUYeFsTCc QkbDPTzK1F8uYfQq0TOVlqdlmHAMZfmzWQgefLF0AKHdvJdjpnZs6vHStytAcKccmmnF11Hr QXuKCNoy4EWy0TnWH1dOBcM0oluCWpO6DmCEaKE24/pWwE3u57rbL3pQYgTbZO8oRwBDrrm9 AaMepl5LNljL6FY05rbulYWaGWoWPHTHwwIDAQABoy0wKzAbBgNVHREEFDASgRBzdGV2ZUBp YmN0ZWNoLmNhMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAw6aPGOnZfOTpkcvB OAUPNWGb3xGNFPdRei0qM0hHtKDB9YXnCQmvHgj51e66LnO0wSrhtNNGAnfjgyoTq5mJmWD6 0EgUdkYIl8p3OxfhC5XaObDSxHl0xpjEbq2UMHRhQy+BOrNXtkOmK6xMw5l72k/U93EWE5wg le0xAOPkuG4wggM/MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJa QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoT EVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERp dmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG 9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcN MTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp bmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f 6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/Ef kTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7 AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRw Oi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8E BAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqG SIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQc UCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bG CE6u9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIDZDCCA2ACAQEwdjBiMQswCQYD VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEEs5xg/J3t77QWJ4SatV 1HcwCQYFKw4DAhoFAKCCAcMwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMDkwNzEwMTQzMDA4WjAjBgkqhkiG9w0BCQQxFgQUFuM/u4TzWmamc5lzIRfXLpOU 1mQwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZI hvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgYUGCSsGAQQBgjcQBDF4MHYwYjEL MAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAq BgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhBLOcYPyd7e+0Fi eEmrVdR3MIGHBgsqhkiG9w0BCRACCzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRo YXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBG cmVlbWFpbCBJc3N1aW5nIENBAhBLOcYPyd7e+0FieEmrVdR3MA0GCSqGSIb3DQEBAQUABIIB AAKGa/9686nY9bvWdXF92BlTHrHHBVhJ4zSzDxTVLysAdjeAByqrAIqjlEmdIeQ+aQG9ryUU tfnzbU3Ld0WscZnQZ81UxrP7T/5JqjTEasnADlaWrQpl61+lOOx2x/BOFPeUW57bt2th58Xv Q9kQWfBJi3gtU3L5X10Ptl17TKxtXK4v+E7t6+KjIiq8rSAlspcCOzmnVyQMvmzPitq1UTVn fDk1Jl5BmNk2VVyuYnuRi6D51BXaqgwFik5iAJ/UwOo+L8do7cnZvk0wwI6zF8LUIy9v8Y4q aQXxxWWF3oMie9o7t2Up1TESXEy1CnZmtd0979Ivwov/CCX6Rp0dkIAAAAAAAAA= --------------ms010400090000060002030803--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A575070.2050904>