From owner-freebsd-questions Thu Sep 16 3:25:28 1999 Delivered-To: freebsd-questions@freebsd.org Received: from finland.ispro.net.tr (finland.ispro.net.tr [195.174.18.1]) by hub.freebsd.org (Postfix) with ESMTP id 2A64115405 for ; Thu, 16 Sep 1999 03:25:14 -0700 (PDT) (envelope-from yurtesen@ispro.net.tr) Received: from ispro.net.tr (c14pc16.dc.turkuamk.fi [193.166.135.241]) by finland.ispro.net.tr (8.9.3/8.9.3) with ESMTP id NAA34612; Thu, 16 Sep 1999 13:24:36 +0300 (EEST) (envelope-from yurtesen@ispro.net.tr) Message-ID: <37E0EFD9.8EA36C51@ispro.net.tr> Date: Thu, 16 Sep 1999 13:25:46 +0000 From: Evren Yurtesen X-Mailer: Mozilla 4.61 [en] (X11; I; FreeBSD 3.3-RC i386) X-Accept-Language: en MIME-Version: 1.0 To: Sheldon Hearn Cc: Ferhat Doruk , freebsd-questions@FreeBSD.ORG Subject: Re: FTP Servers References: <58008.937476478@axl.noc.iafrica.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Is it possible to limit bandwidth usage for anonymous users? and also is it possible to have different kinds of access lists ? for example I do not want any file to be downloaded from /etc directory even that person can see that directory... is this possible with the standart ftpd which comes with FreeBSD? Evren Sheldon Hearn wrote: > On Thu, 16 Sep 1999 11:20:51 +0300, Ferhat Doruk wrote: > > > We are running FreeBSD 3.2 to host our customer's web sites. Some of > > our custumers uses FTP to update their sites by using FreeBSD's ftpd. > > ftpd uses system users and all users can see all hierachy and all > > readable files. We don't want this, instead let users can see only > > their web sites' directories and contents. > > I expect your users do not have shell logins on the machine. In other > words, their login shell is something like /sbin/nologin . All you need > to do is make use of ftpd's existing behaviour, specifically its chroot > feature: > > The manpage for ftpd(8) says this: > > 4. The user must have a standard shell returned by > getusershell(3). > > 5. If the user name appears in the file /etc/ftpchroot, or the > user is a member of a group with a group entry in this file, > i.e. one prefixed with `@', the session's root will be changed > to the user's login directory by chroot(2). > > So the first thing you're going to need to do is make sure that > /sbin/nologin (or whatever you use to provide user accounts with no > shell access) is in /etc/shells. > > Now, it's not a good idea to put /sbin/nologin in your /etc/shells > directory. So what you should do is create a copy of /sbin/nologin in > /usr/local/sbin, calling it something like ftp-nologin . > > You then need to use vipw(8) to change the the login shells for all your > ftp users to /usr/local/sbin/ftp-nologin or whatever you choose. > > While you're in vipw(8), you should also change the home directories > of your users to point to whatever directory hierarchy they should be > limited to. It's probably something like /usr/local/www/somecompany . > > Now all you have to do is add the users (or their group, if they're all > in the same group) to /etc/ftpchroot . See the ftpd(8) manpage for more > details. > > Of course, what I've suggested isn't particularly manageable. In future, > you'll have to add every the user to ftpchroot after adding him or her with > adduser or whatever. > > However, what you _can_ do is create a login class (not the same thing > as a group) which has the ftp-chroot capability enabled. Then, when you > add new users for whom this whole shebang is relevant, you assign them > to that login class you've created, making sure to give them the right > home directory and login shell, and hey presto. :-) > > > Is there any good and secure FTP server program which uses its own > > user database to authaunticate users and permits exact directories and > > files? > > Hopefully the advice above is enough to convince you that FreeBSD's > stock standard ftpd is enough for what you want to do. You'll notice, if > you follow security lists, that more security vulnberabilities tend to > be discovered in the 3rd-party ftp daemons than in FreeBSD's own > offering. > > Ciao, > Sheldon. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message