Date: Fri, 12 Oct 2001 21:45:15 -0400 (EDT) From: Igor Roshchin <str@giganda.komkon.org> To: mudman@r181172.resnet.ucsb.edu, rsimmons@wlcg.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Only an ftp account Message-ID: <200110130145.f9D1jFi92242@giganda.komkon.org> In-Reply-To: <20011012134241.W29795-100000@mail.wlcg.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> From owner-freebsd-security@FreeBSD.ORG Fri Oct 12 13:46:09 2001 > Date: Fri, 12 Oct 2001 13:45:28 -0400 (EDT) > From: Rob Simmons <rsimmons@wlcg.com> > To: Dave <mudman@r181172.resnet.ucsb.edu> > Cc: <freebsd-security@FreeBSD.ORG> > Subject: Re: Only an ftp account > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > pw useradd -n <name> -w no -s /sbin/nologin > > You may also want to add that user to /etc/ftpchroot which will chroot > them to their home directory. You should also make sure that > /sbin/nologin is in /etc/shells. > > Robert Simmons > Systems Administrator > http://www.wlcg.com/ > > On Fri, 12 Oct 2001, Dave wrote: > > > > > How would I be able to give an account to someone where they can only > > login and use FTP? Shell interpeters, sendmail, and virtually all the > > other parts of the system should not be at their disposal. > > > > How does one accomplish the creation of such a 'ftp-locked' account? > > > > I've heard some discussion about jails, but man jail(1) and jail(2) only > > talk about freezing a process, so I think this might not be the solution I > > need. > > > > Thanks. > > > > Let me just point out that just changing the shell to /sbin/nologin or any other simliar shell will only prevent the user from telnet/rlogin/ssh logins. This, however, will not prevent that user from receiving e-mail, if the sendmail is running, especially, if the shell is in /etc/shells (I think the defualt configuration of sendmail checks for the valid shell in /etc/shells). Also, it doesn't prevent the user from using a pop-client, if the popd is enabled. Having an ability to receive an e-mail and to download files via ftp provides the user with capability of running most if not all commands on the computer (just think what one can use in .forward). This is what very often is forgotten. The way around that is probably to use a chrooted environment + an empty .forward and user's home directory both owned by root + some special arrangements to prevent the user from using popd/imapd services... + .... However, don't take this as an advice of a complete set of measures. Hope, this helps... Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110130145.f9D1jFi92242>