From owner-freebsd-questions Wed Aug 22 13:18:35 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.c.bus.net (65-85-139-3.client.dsl.net [65.85.139.3]) by hub.freebsd.org (Postfix) with ESMTP id B178B37B40A for ; Wed, 22 Aug 2001 13:18:06 -0700 (PDT) (envelope-from cao@bus.net) Received: from ws100.c.bus.net (ws100.c.bus.net [192.168.1.10]) by mail.c.bus.net (Postfix) with ESMTP id 0DBCC76308; Wed, 22 Aug 2001 16:22:43 -0400 (EDT) Received: (from cao@localhost) by ws100.c.bus.net (8.11.3/8.11.3) id f7MKHsh22865; Wed, 22 Aug 2001 16:17:54 -0400 (EDT) (envelope-from cao) Date: Wed, 22 Aug 2001 16:17:54 -0400 From: "Chuck O'Donnell" To: Shannon Wheeler Cc: freebsd-questions@freebsd.org Subject: Re: user management Message-ID: <20010822161754.D22666@bus.net> References: <002d01c129ce$b9545c80$0d00a8c0@mshome.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <002d01c129ce$b9545c80$0d00a8c0@mshome.net>; from swheeler@mce.ab.ca on Mon, Aug 20, 2001 at 05:20:38PM -0600 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Aug 20, 2001 at 05:20:38PM -0600, Shannon Wheeler wrote: > OK, I hate to bug you people but... > > I want to create a user and allow him ftp access to a specific directory > (/usr/local/www/data/userspage) > > I can make a symbolic link to that directory under the user's home > directory - is this the best way to do this? > > What should I set the user's login shell to? > and > How do I limit the user's access to only that directory? > I'm not sure how everyone else does it, but I use the following scheme for ftp-only users: 1) Add an entry to /etc/login.conf with the `ftp-chroot' as described in ftpd(8). I think I started with one of the other entries as a template and added ``:ftp-chroot:\''. I also added a "mailuser" entry for people who can just get POP email. See login.conf(5) and getcap(3) for the syntax of login.conf 2) Rebuild /etc/login.conf.db with cap_mkdb(1): ``cap_mkdb /etc/login.conf'' 3) Create the user, or edit an existing user, and set their login class to ``ftponly''. You'll need to use ``vipw'' or maybe ``pw user mod ${username} -L ftponly'' (untested, play around to see if it works, and see pw(8)). 4) I hard-linked /sbin/nologin to /sbin/ftponly and listed /etc/ftponly in /etc/shells for ftpd to see they have a "valid" shell. 5) Set the user's home directory to the directory they should be limited to, e.g., using your example, /usr/local/www/data/userspage. The end result is that the user can ftp to the machine, but they are chrooted to their home directory, and they cannot log into the machine with an interactive shell with ssh or telnet. For mail users, I use a similar setup, but set their shell to /sbin/nologin and their class to ``mailuser'' (just sets some limits for quotas, etc). This limits ftp as well as interactive login since /sbin/nologin is not in /etc/shells. Chuck To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message