Date: Sat, 26 May 2001 02:27:26 GMT From: Brent Rector <brent@justbrent.net> To: RDWest "Sr." <bsd-noob@home.com>, questions@freebsd.org Subject: Re: Permissions Problem (need help) & resticting FTP users Message-ID: <20010526.2272670@cr565151-a.vc.shawcable.net> In-Reply-To: <001601c0e589$b2f9ced0$23730618@ci83514a> References: <01052520571800.00345@ci83514-b.sptnbrg1.sc.home.com> <20010526.1500266@cr565151-a.vc.shawcable.net> <001601c0e589$b2f9ced0$23730618@ci83514a>
next in thread | previous in thread | raw e-mail | index | archive | help
Standard layout is a text based file.... <user1> <user2> @<group> i.e. Brent bob @users You don't have to include a specific group of users, I found it easier t= o=20 setup a group specifically for our standard users etc... Just save the basic file in your /etc directory.. Actaully, you were rigbt there wasn't any reference to ftpchroot when I= =20 just used man... etc.. You can find in the informtion about this about halfway down in man ftpd= : Ftpd authenticates users according to five rules. 1. The login name must be in the password data base and not= =20 have a null password. In this case a password must be=20 provided by the client before any file operations may be performed. = =20 If the user has an S/Key key, the response from a successfu= l=20 USER command will include an S/Key challenge. The client may = choose to respond with a PASS command giving either a standard = pass- word or an S/Key one-time password. The server will=20 automati- cally determine which type of password it has been given= =20 and attempt to authenticate accordingly. See key(1) for more= =20 in- formation on S/Key authentication. S/Key is a Trademark = of Bellcore.=20 2. The login name must not appear in the file /etc/ftpusers. 3. The login name must not be a member of a group specified= =20 in the file /etc/ftpusers. Entries in this file interpreted= =20 as group names are prefixed by an "at" `@' sign. 4. The user must have a standard shell returned by getusershell(3). 5. If the user name appears in the file /etc/ftpchroot, or = the user is a member of a group with a group entry in this=20= file, i.e. one prefixed with `@', the session's root will be=20= changed to the user's login directory by chroot(2) as for an ``anonymous'' or ``ftp'' account (see next item). This = facil- ity may also be triggered by enabling the boolean=20 "ftp-chroot" capability in login.conf(5). However, the user must=20= still supply a password. This feature is intended as a=20 compromise between a fully anonymous account and a fully privileged= =20 ac- count. The account should also be set up as for an=20 anonymous account. 6. If the user name is ``anonymous'' or ``ftp'', an=20 anonymous ftp=20 account must be present in the password file (user ``ftp''). In this case the user is allowed to log in by specifying= =20 any password (by convention an email address for the user=20= should be used as the password). When the -S option is set, al= l transfers are logged as well. In the last case, ftpd takes special measures to restrict the=20 client's access privileges. The server performs a chroot(2) to the home=20= directory of the ``ftp'' user. In order that system security is not breached= ,=20 it is recommended that the ``ftp'' subtree be constructed with care,=20= follow- ing these rules: =20= I hope this gives you some more info. Brent Rector >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<< On 5/25/01, 7:15:13 PM, "RDWest Sr." <bsd-noob@home.com> wrote regarding= =20 Re: Permissions Problem (need help): > ----- Original Message ----- > From: "Brent Rector" <brent@justbrent.net> > To: "RDWest" <bsd-noob@home.com> > Sent: Friday, May 25, 2001 9:50 PM > Subject: Re: Permissions Problem (need help) > Hi There, > I think what you really want to do to prevent FTPer's from wandering y= our > harddrive is too look at > man ftpchroot > Creat a text file in /etc called ftpchroot and add either the users an= d > or groups to it, and their particular root "/" directory will be > restricted to their own particular home directory. > ----------------------------------------------- > there is no listing on ftpchroot in my man pages > i'm using the default ftp that came with standard install > could you plz give me an example format? > usr1 /usr/local/www/usr1 > usr2 /usr/local/www/usr2 ? ? > tx > ----------------------------------------------- > What the above file does, is restricts "defined" users or groups to th= eir > own little areas, it prevents them from wandering... > I originally tried what you did, and it completely confused me for day= s. > I hope the above helps. > Brent Rector > justbrent.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010526.2272670>