Date: Thu, 16 Sep 1999 13:25:46 +0000 From: Evren Yurtesen <yurtesen@ispro.net.tr> To: Sheldon Hearn <sheldonh@uunet.co.za> Cc: Ferhat Doruk <ferhat@ihlas.com.tr>, freebsd-questions@FreeBSD.ORG Subject: Re: FTP Servers Message-ID: <37E0EFD9.8EA36C51@ispro.net.tr> References: <58008.937476478@axl.noc.iafrica.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Is it possible to limit bandwidth usage for anonymous users? and also is it possible to have different kinds of access lists ? for example I do not want any file to be downloaded from /etc directory even that person can see that directory... is this possible with the standart ftpd which comes with FreeBSD? Evren Sheldon Hearn wrote: > On Thu, 16 Sep 1999 11:20:51 +0300, Ferhat Doruk wrote: > > > We are running FreeBSD 3.2 to host our customer's web sites. Some of > > our custumers uses FTP to update their sites by using FreeBSD's ftpd. > > ftpd uses system users and all users can see all hierachy and all > > readable files. We don't want this, instead let users can see only > > their web sites' directories and contents. > > I expect your users do not have shell logins on the machine. In other > words, their login shell is something like /sbin/nologin . All you need > to do is make use of ftpd's existing behaviour, specifically its chroot > feature: > > The manpage for ftpd(8) says this: > > 4. The user must have a standard shell returned by > getusershell(3). > > 5. If the user name appears in the file /etc/ftpchroot, or the > user is a member of a group with a group entry in this file, > i.e. one prefixed with `@', the session's root will be changed > to the user's login directory by chroot(2). > > So the first thing you're going to need to do is make sure that > /sbin/nologin (or whatever you use to provide user accounts with no > shell access) is in /etc/shells. > > Now, it's not a good idea to put /sbin/nologin in your /etc/shells > directory. So what you should do is create a copy of /sbin/nologin in > /usr/local/sbin, calling it something like ftp-nologin . > > You then need to use vipw(8) to change the the login shells for all your > ftp users to /usr/local/sbin/ftp-nologin or whatever you choose. > > While you're in vipw(8), you should also change the home directories > of your users to point to whatever directory hierarchy they should be > limited to. It's probably something like /usr/local/www/somecompany . > > Now all you have to do is add the users (or their group, if they're all > in the same group) to /etc/ftpchroot . See the ftpd(8) manpage for more > details. > > Of course, what I've suggested isn't particularly manageable. In future, > you'll have to add every the user to ftpchroot after adding him or her with > adduser or whatever. > > However, what you _can_ do is create a login class (not the same thing > as a group) which has the ftp-chroot capability enabled. Then, when you > add new users for whom this whole shebang is relevant, you assign them > to that login class you've created, making sure to give them the right > home directory and login shell, and hey presto. :-) > > > Is there any good and secure FTP server program which uses its own > > user database to authaunticate users and permits exact directories and > > files? > > Hopefully the advice above is enough to convince you that FreeBSD's > stock standard ftpd is enough for what you want to do. You'll notice, if > you follow security lists, that more security vulnberabilities tend to > be discovered in the 3rd-party ftp daemons than in FreeBSD's own > offering. > > Ciao, > Sheldon. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37E0EFD9.8EA36C51>