From owner-freebsd-questions Tue May 1 6:59:33 2001 Delivered-To: freebsd-questions@freebsd.org Received: from megapathdsl.net (snowbird.megapath.net [216.200.176.7]) by hub.freebsd.org (Postfix) with ESMTP id EF62E37B443 for ; Tue, 1 May 2001 06:59:26 -0700 (PDT) (envelope-from jasonc@concentric.net) Received: from [63.209.136.118] (HELO mgm) by megapathdsl.net (CommuniGate Pro SMTP 3.4.3) with SMTP id 20998546 for questions@freebsd.org; Tue, 01 May 2001 06:58:32 -0700 Message-ID: <012b01c0d247$4181a3e0$89941bd8@speakeasy.net> Reply-To: "jason" From: "jason" To: Subject: Securing /etc against normal FTP users Date: Tue, 1 May 2001 10:01:43 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I am currently setting up a private FTP site on a FreeBSD 4.2-Current using wu-ftpd. I noted that in BSD ftp access is tied directly to shell access. What I am trying to do is allow users to login using private logins but not have access to system areas or telnet access. Here is what I did accomplish: made copy of /sbin/nologin as /sbin/ftponly added /sbin/ftponly to shells added /sbin/ftponly to adduser.conf I used GUEST group for all ftponly users I mounted /pub and set the group to guest and chmod to 755 which should allow users to download and read from that directory tree. I also set /pub/incoming to 777 to allow uploads. This allowed me to create users and give them a shell that ftpd would allow but telnetd would deny What I noticed is that users with shell set to /sbin/ftponly and group set to guest was able to enter my /etc and download just about everything there including my passwd files. Upon closer inspection of the system I belive this same user should be able to read just about everything on my system. I set chmod 750 /etc and this stopped a guest user from logging in but I noted errors accessing /etc/logon.conf and think this may also have further impact on other processes that use /etc and not run as root. Before I go off and reinvent the wheel on this, does anyone have an easy way you manage a similar situation? And I also have some telnetd users that I would rather not have access to copy and download files from my /etc, /var, /root or other private system areas. Any input on your own experience would be apreaciated. Jason Cribbins "kibserv" Administrator MGM Communications LLC Canton, MI To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message