From owner-freebsd-isp@FreeBSD.ORG Thu Aug 5 14:43:29 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A69116A4CE for ; Thu, 5 Aug 2004 14:43:29 +0000 (GMT) Received: from extra.rwsystems.net (209-102-209-187.ipv4.intur.net [209.102.209.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 90A2043D31 for ; Thu, 5 Aug 2004 14:43:26 +0000 (GMT) (envelope-from jwyatt@RWSystems.net) Received: from extra.rwsystems.net (localhost.rwsystems.net [127.0.0.1]) by extra.rwsystems.net (8.12.10/8.12.10) with ESMTP id i75EiaOq014707; Thu, 5 Aug 2004 09:44:37 -0500 (CDT) (envelope-from jwyatt@RWSystems.net) Received: from localhost (jwyatt@localhost)i75EiZ3u014704; Thu, 5 Aug 2004 09:44:35 -0500 (CDT) (envelope-from jwyatt@RWSystems.net) X-Authentication-Warning: extra.rwsystems.net: jwyatt owned process doing -bs Date: Thu, 5 Aug 2004 09:44:35 -0500 (CDT) From: James Wyatt To: Spidey Knepscheld In-Reply-To: <20040805090613.R2281@extra.rwsystems.net> Message-ID: <20040805094258.O2281@extra.rwsystems.net> References: <001b01c47ae8$b8f127f0$0b01000a@SPIDEY> <20040805090613.R2281@extra.rwsystems.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-isp@freebsd.org Subject: Re: Open a user for FTP Access X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Aug 2004 14:43:29 -0000 On Thu, 5 Aug 2004, Spidey Knepscheld wrote: > Hi Guys > > This is another stupid question from me but I would like to know how do > I give a guy access to his web directory for updates of his www. I know > how to open users but not how to give that user access to ftp to his > directory. [ ... ] Not a stupid question, but I'll bet we get a stupid answer somewhere... semi-private joke - will answer or discuss by direct email if needed.) >From your description, you don't need many users. If you do, then you should look at either using the PAM support in FreeBSD to offload FTP users to an SQL or LDAP table or at FTP servers that support SQL or LDAP directly. The FreeBSD FTP server does this well. So do some others. It sounds like you don't completely trust your web user either. (^_^) An FTP server that supports "chrooting" lets your user see *just* their directory and "lower". They can't see anything "above" it to look for security holes or put files in places you don't want. The FreeBSD FTP server supports chrooting easily - you can either put the user in the /etc/ftpchroot file or put them in a group in that file. I would also configure the web server not to run scripts in the user directories. Otherwise they can upload a script that gets around the security added with chroot. Apache does this well too. fwiw: Your description also implies you have a low usage, so having ftpd start using inetd.conf is fine. If you have lots of FTP connects, you should run ftpd as a separate daemon. You might look at "man ftpd" to see what options are available. You might add the h, ll, t, flags to the inetd.conf entry. It will print less banner, log more user actions, add a 15 minute idle delay. The FreeBSD folks have put a lot of work into the FTP server and it shows. I use others on other servers, but usually leave the FreeBSD FTP server intact. With PAM, chroot, and other features, it rocks! There is nothing I see in your requirements that drives you to build, install, configure, and support another FTP server and track an entire extra set of security advisories. You are already in very good hands.