From owner-freebsd-questions Fri May 25 19:24:26 2001 Delivered-To: freebsd-questions@freebsd.org Received: from h209-17-128-144.gtconnect.net (h209-17-128-144.gtconnect.net [209.17.128.144]) by hub.freebsd.org (Postfix) with SMTP id B372337B422 for ; Fri, 25 May 2001 19:24:07 -0700 (PDT) (envelope-from brent@justbrent.net) Received: (qmail 96536 invoked by uid 1001); 26 May 2001 02:33:27 -0000 Received: from h24-76-109-116.vc.shawcable.net (HELO cr565151-a.vc.shawcable.net) (24.76.109.116) by h209-17-128-144.gtconnect.net with SMTP; 26 May 2001 02:33:27 -0000 From: Brent Rector Date: Sat, 26 May 2001 02:27:26 GMT Message-ID: <20010526.2272670@cr565151-a.vc.shawcable.net> Subject: Re: Permissions Problem (need help) & resticting FTP users To: RDWest "Sr." , questions@freebsd.org In-Reply-To: <001601c0e589$b2f9ced0$23730618@ci83514a> References: <01052520571800.00345@ci83514-b.sptnbrg1.sc.home.com> <20010526.1500266@cr565151-a.vc.shawcable.net> <001601c0e589$b2f9ced0$23730618@ci83514a> X-Mailer: Mozilla/3.0 (compatible; StarOffice/5.2;Win32) X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Standard layout is a text based file.... @ i.e. Brent bob @users You don't have to include a specific group of users, I found it easier t= o=20 setup a group specifically for our standard users etc... Just save the basic file in your /etc directory.. Actaully, you were rigbt there wasn't any reference to ftpchroot when I= =20 just used man... etc.. You can find in the informtion about this about halfway down in man ftpd= : Ftpd authenticates users according to five rules. 1. The login name must be in the password data base and not= =20 have a null password. In this case a password must be=20 provided by the client before any file operations may be performed. = =20 If the user has an S/Key key, the response from a successfu= l=20 USER command will include an S/Key challenge. The client may = choose to respond with a PASS command giving either a standard = pass- word or an S/Key one-time password. The server will=20 automati- cally determine which type of password it has been given= =20 and attempt to authenticate accordingly. See key(1) for more= =20 in- formation on S/Key authentication. S/Key is a Trademark = of Bellcore.=20 2. The login name must not appear in the file /etc/ftpusers. 3. The login name must not be a member of a group specified= =20 in the file /etc/ftpusers. Entries in this file interpreted= =20 as group names are prefixed by an "at" `@' sign. 4. The user must have a standard shell returned by getusershell(3). 5. If the user name appears in the file /etc/ftpchroot, or = the user is a member of a group with a group entry in this=20= file, i.e. one prefixed with `@', the session's root will be=20= changed to the user's login directory by chroot(2) as for an ``anonymous'' or ``ftp'' account (see next item). This = facil- ity may also be triggered by enabling the boolean=20 "ftp-chroot" capability in login.conf(5). However, the user must=20= still supply a password. This feature is intended as a=20 compromise between a fully anonymous account and a fully privileged= =20 ac- count. The account should also be set up as for an=20 anonymous account. 6. If the user name is ``anonymous'' or ``ftp'', an=20 anonymous ftp=20 account must be present in the password file (user ``ftp''). In this case the user is allowed to log in by specifying= =20 any password (by convention an email address for the user=20= should be used as the password). When the -S option is set, al= l transfers are logged as well. In the last case, ftpd takes special measures to restrict the=20 client's access privileges. The server performs a chroot(2) to the home=20= directory of the ``ftp'' user. In order that system security is not breached= ,=20 it is recommended that the ``ftp'' subtree be constructed with care,=20= follow- ing these rules: =20= I hope this gives you some more info. Brent Rector >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<< On 5/25/01, 7:15:13 PM, "RDWest Sr." wrote regarding= =20 Re: Permissions Problem (need help): > ----- Original Message ----- > From: "Brent Rector" > To: "RDWest" > Sent: Friday, May 25, 2001 9:50 PM > Subject: Re: Permissions Problem (need help) > Hi There, > I think what you really want to do to prevent FTPer's from wandering y= our > harddrive is too look at > man ftpchroot > Creat a text file in /etc called ftpchroot and add either the users an= d > or groups to it, and their particular root "/" directory will be > restricted to their own particular home directory. > ----------------------------------------------- > there is no listing on ftpchroot in my man pages > i'm using the default ftp that came with standard install > could you plz give me an example format? > usr1 /usr/local/www/usr1 > usr2 /usr/local/www/usr2 ? ? > tx > ----------------------------------------------- > What the above file does, is restricts "defined" users or groups to th= eir > own little areas, it prevents them from wandering... > I originally tried what you did, and it completely confused me for day= s. > I hope the above helps. > Brent Rector > justbrent.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message