Site Navigation

Date:      Wed, 22 Aug 2001 16:17:54 -0400
From:      "Chuck O'Donnell" <cao@bus.net>
To:        Shannon Wheeler <swheeler@mce.ab.ca>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: user management
Message-ID:  <20010822161754.D22666@bus.net>
In-Reply-To: <002d01c129ce$b9545c80$0d00a8c0@mshome.net>; from swheeler@mce.ab.ca on Mon, Aug 20, 2001 at 05:20:38PM -0600
References:  <002d01c129ce$b9545c80$0d00a8c0@mshome.net>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On Mon, Aug 20, 2001 at 05:20:38PM -0600, Shannon Wheeler wrote:
> OK, I hate to bug you people but...
> 
> I want to create a user and allow him ftp access to a specific directory
> (/usr/local/www/data/userspage)
> 
> I can make a symbolic link to that directory under the user's home
> directory - is this the best way to do this?
> 
> What should I set the user's login shell to?
> and
> How do I limit the user's access to only that directory?
> 

I'm not sure how everyone else does it, but I use the following scheme
for ftp-only users:

1) Add an entry to /etc/login.conf with the `ftp-chroot' as described
   in ftpd(8). I think I started with one of the other entries as a
   template and added ``:ftp-chroot:\''. I also added a "mailuser"
   entry for people who can just get POP email.

   See login.conf(5) and getcap(3) for the syntax of login.conf

2) Rebuild /etc/login.conf.db with cap_mkdb(1): ``cap_mkdb /etc/login.conf''

3) Create the user, or edit an existing user, and set their login
   class to ``ftponly''. You'll need to use ``vipw'' or maybe
   ``pw user mod ${username} -L ftponly'' (untested, play around to
   see if it works, and see pw(8)).

4) I hard-linked /sbin/nologin to /sbin/ftponly and listed
   /etc/ftponly in /etc/shells for ftpd to see they have a "valid"
   shell.

5) Set the user's home directory to the directory they should be
   limited to, e.g., using your example, /usr/local/www/data/userspage.

The end result is that the user can ftp to the machine, but they are
chrooted to their home directory, and they cannot log into the machine
with an interactive shell with ssh or telnet.

For mail users, I use a similar setup, but set their shell to
/sbin/nologin and their class to ``mailuser'' (just sets some limits
for quotas, etc). This limits ftp as well as interactive login since
/sbin/nologin is not in /etc/shells.


Chuck


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010822161754.D22666>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact