Date: Tue, 1 May 2001 10:01:43 -0400 From: "jason" <jasonc@concentric.net> To: <questions@freebsd.org> Subject: Securing /etc against normal FTP users Message-ID: <012b01c0d247$4181a3e0$89941bd8@speakeasy.net>
next in thread | raw e-mail | index | archive | help
I am currently setting up a private FTP site on a FreeBSD 4.2-Current using wu-ftpd. I noted that in BSD ftp access is tied directly to shell access. What I am trying to do is allow users to login using private logins but not have access to system areas or telnet access. Here is what I did accomplish: made copy of /sbin/nologin as /sbin/ftponly added /sbin/ftponly to shells added /sbin/ftponly to adduser.conf I used GUEST group for all ftponly users I mounted /pub and set the group to guest and chmod to 755 which should allow users to download and read from that directory tree. I also set /pub/incoming to 777 to allow uploads. This allowed me to create users and give them a shell that ftpd would allow but telnetd would deny What I noticed is that users with shell set to /sbin/ftponly and group set to guest was able to enter my /etc and download just about everything there including my passwd files. Upon closer inspection of the system I belive this same user should be able to read just about everything on my system. I set chmod 750 /etc and this stopped a guest user from logging in but I noted errors accessing /etc/logon.conf and think this may also have further impact on other processes that use /etc and not run as root. Before I go off and reinvent the wheel on this, does anyone have an easy way you manage a similar situation? And I also have some telnetd users that I would rather not have access to copy and download files from my /etc, /var, /root or other private system areas. Any input on your own experience would be apreaciated. Jason Cribbins "kibserv" Administrator MGM Communications LLC Canton, MI To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?012b01c0d247$4181a3e0$89941bd8>