Date: Sat, 26 May 2001 02:27:26 GMT From: Brent Rector <brent@justbrent.net> To: RDWest "Sr." <bsd-noob@home.com>, questions@freebsd.org Subject: Re: Permissions Problem (need help) & resticting FTP users Message-ID: <20010526.2272670@cr565151-a.vc.shawcable.net> In-Reply-To: <001601c0e589$b2f9ced0$23730618@ci83514a> References: <01052520571800.00345@ci83514-b.sptnbrg1.sc.home.com> <20010526.1500266@cr565151-a.vc.shawcable.net> <001601c0e589$b2f9ced0$23730618@ci83514a>
next in thread | previous in thread | raw e-mail | index | archive | help
Standard layout is a text based file....
<user1>
<user2>
@<group>
i.e.
Brent
bob
@users
You don't have to include a specific group of users, I found it easier t=
o=20
setup a group specifically for our standard users etc...
Just save the basic file in your /etc directory..
Actaully, you were rigbt there wasn't any reference to ftpchroot when I=
=20
just used man... etc..
You can find in the informtion about this about halfway down in man ftpd=
:
Ftpd authenticates users according to five rules.
1. The login name must be in the password data base and not=
=20
have
a null password. In this case a password must be=20
provided by
the client before any file operations may be performed. =
=20
If
the user has an S/Key key, the response from a successfu=
l=20
USER
command will include an S/Key challenge. The client may =
choose
to respond with a PASS command giving either a standard =
pass-
word or an S/Key one-time password. The server will=20
automati-
cally determine which type of password it has been given=
=20
and
attempt to authenticate accordingly. See key(1) for more=
=20
in-
formation on S/Key authentication. S/Key is a Trademark =
of
Bellcore.=20
2. The login name must not appear in the file /etc/ftpusers.
3. The login name must not be a member of a group specified=
=20
in
the file /etc/ftpusers. Entries in this file interpreted=
=20
as
group names are prefixed by an "at" `@' sign.
4. The user must have a standard shell returned by
getusershell(3).
5. If the user name appears in the file /etc/ftpchroot, or =
the
user is a member of a group with a group entry in this=20=
file,
i.e. one prefixed with `@', the session's root will be=20=
changed
to the user's login directory by chroot(2) as for an
``anonymous'' or ``ftp'' account (see next item). This =
facil-
ity may also be triggered by enabling the boolean=20
"ftp-chroot"
capability in login.conf(5). However, the user must=20=
still
supply a password. This feature is intended as a=20
compromise
between a fully anonymous account and a fully privileged=
=20
ac-
count. The account should also be set up as for an=20
anonymous
account.
6. If the user name is ``anonymous'' or ``ftp'', an=20
anonymous ftp=20
account must be present in the password file (user ``ftp'').
In this case the user is allowed to log in by specifying=
=20
any
password (by convention an email address for the user=20=
should
be used as the password). When the -S option is set, al=
l
transfers are logged as well.
In the last case, ftpd takes special measures to restrict the=20
client's
access privileges. The server performs a chroot(2) to the home=20=
directory
of the ``ftp'' user. In order that system security is not breached=
,=20
it
is recommended that the ``ftp'' subtree be constructed with care,=20=
follow-
ing these rules: =20=
I hope this gives you some more info.
Brent Rector
>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
On 5/25/01, 7:15:13 PM, "RDWest Sr." <bsd-noob@home.com> wrote regarding=
=20
Re: Permissions Problem (need help):
> ----- Original Message -----
> From: "Brent Rector" <brent@justbrent.net>
> To: "RDWest" <bsd-noob@home.com>
> Sent: Friday, May 25, 2001 9:50 PM
> Subject: Re: Permissions Problem (need help)
> Hi There,
> I think what you really want to do to prevent FTPer's from wandering y=
our
> harddrive is too look at
> man ftpchroot
> Creat a text file in /etc called ftpchroot and add either the users an=
d
> or groups to it, and their particular root "/" directory will be
> restricted to their own particular home directory.
> -----------------------------------------------
> there is no listing on ftpchroot in my man pages
> i'm using the default ftp that came with standard install
> could you plz give me an example format?
> usr1 /usr/local/www/usr1
> usr2 /usr/local/www/usr2 ? ?
> tx
> -----------------------------------------------
> What the above file does, is restricts "defined" users or groups to th=
eir
> own little areas, it prevents them from wandering...
> I originally tried what you did, and it completely confused me for day=
s.
> I hope the above helps.
> Brent Rector
> justbrent.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010526.2272670>