Date: Thu, 16 Sep 1999 12:07:58 +0200 From: Sheldon Hearn <sheldonh@uunet.co.za> To: Ferhat Doruk <ferhat@ihlas.com.tr> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: FTP Servers Message-ID: <58008.937476478@axl.noc.iafrica.com> In-Reply-To: Your message of "Thu, 16 Sep 1999 11:20:51 %2B0300." <D198B5D2A924D3119444006067337D63350955@imail>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 16 Sep 1999 11:20:51 +0300, Ferhat Doruk wrote:
> We are running FreeBSD 3.2 to host our customer's web sites. Some of
> our custumers uses FTP to update their sites by using FreeBSD's ftpd.
> ftpd uses system users and all users can see all hierachy and all
> readable files. We don't want this, instead let users can see only
> their web sites' directories and contents.
I expect your users do not have shell logins on the machine. In other
words, their login shell is something like /sbin/nologin . All you need
to do is make use of ftpd's existing behaviour, specifically its chroot
feature:
The manpage for ftpd(8) says this:
4. The user must have a standard shell returned by
getusershell(3).
5. If the user name appears in the file /etc/ftpchroot, or the
user is a member of a group with a group entry in this file,
i.e. one prefixed with `@', the session's root will be changed
to the user's login directory by chroot(2).
So the first thing you're going to need to do is make sure that
/sbin/nologin (or whatever you use to provide user accounts with no
shell access) is in /etc/shells.
Now, it's not a good idea to put /sbin/nologin in your /etc/shells
directory. So what you should do is create a copy of /sbin/nologin in
/usr/local/sbin, calling it something like ftp-nologin .
You then need to use vipw(8) to change the the login shells for all your
ftp users to /usr/local/sbin/ftp-nologin or whatever you choose.
While you're in vipw(8), you should also change the home directories
of your users to point to whatever directory hierarchy they should be
limited to. It's probably something like /usr/local/www/somecompany .
Now all you have to do is add the users (or their group, if they're all
in the same group) to /etc/ftpchroot . See the ftpd(8) manpage for more
details.
Of course, what I've suggested isn't particularly manageable. In future,
you'll have to add every the user to ftpchroot after adding him or her with
adduser or whatever.
However, what you _can_ do is create a login class (not the same thing
as a group) which has the ftp-chroot capability enabled. Then, when you
add new users for whom this whole shebang is relevant, you assign them
to that login class you've created, making sure to give them the right
home directory and login shell, and hey presto. :-)
> Is there any good and secure FTP server program which uses its own
> user database to authaunticate users and permits exact directories and
> files?
Hopefully the advice above is enough to convince you that FreeBSD's
stock standard ftpd is enough for what you want to do. You'll notice, if
you follow security lists, that more security vulnberabilities tend to
be discovered in the 3rd-party ftp daemons than in FreeBSD's own
offering.
Ciao,
Sheldon.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?58008.937476478>