Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 26 May 2001 02:27:26 GMT
From:      Brent Rector <brent@justbrent.net>
To:        RDWest "Sr." <bsd-noob@home.com>, questions@freebsd.org
Subject:   Re: Permissions Problem (need help) & resticting FTP users
Message-ID:  <20010526.2272670@cr565151-a.vc.shawcable.net>
In-Reply-To: <001601c0e589$b2f9ced0$23730618@ci83514a>
References:  <01052520571800.00345@ci83514-b.sptnbrg1.sc.home.com> <20010526.1500266@cr565151-a.vc.shawcable.net> <001601c0e589$b2f9ced0$23730618@ci83514a>

next in thread | previous in thread | raw e-mail | index | archive | help
Standard layout is a text based file....

<user1>
<user2>
@<group>

i.e.

Brent
bob
@users

You don't have to include a specific group of users, I found it easier t=
o=20
setup a group specifically for our standard users etc...

Just save the basic file in your /etc directory..

Actaully, you were rigbt there wasn't any reference to ftpchroot when  I=
=20
just used man... etc..

You can find in the informtion about this about halfway down in man ftpd=
:

 Ftpd authenticates users according to five rules.

           1.   The login name must be in the password data base and not=
=20
have
                a null password.  In this case a password must be=20
provided by
                the client before any file operations may be performed. =
=20
If
                the user has an S/Key key, the response from a successfu=
l=20
USER
                command will include an S/Key challenge. The client may =

choose
                to respond with a PASS command giving either a standard =

pass-
                word or an S/Key one-time password. The server will=20
automati-
                cally determine which type of password it has been given=
=20
and
                attempt to authenticate accordingly. See key(1) for more=
=20
in-
                formation on S/Key authentication. S/Key is a Trademark =

of
                Bellcore.=20
    2.   The login name must not appear in the file /etc/ftpusers.

           3.   The login name must not be a member of a group specified=
=20
in
                the file /etc/ftpusers. Entries in this file interpreted=
=20
as
                group names are prefixed by an "at" `@' sign.

           4.   The user must have a standard shell returned by
                getusershell(3).

           5.   If the user name appears in the file /etc/ftpchroot, or =

the
                user is a member of a group with a group entry in this=20=

file,
                i.e. one prefixed with `@', the session's root will be=20=

changed
                to the user's login directory by chroot(2) as for an
                ``anonymous'' or ``ftp'' account (see next item).  This =

facil-
                ity may also be triggered by enabling the boolean=20
"ftp-chroot"
                capability in login.conf(5).  However, the user must=20=

still
                supply a password.  This feature is intended as a=20
compromise
                between a fully anonymous account and a fully privileged=
=20
ac-
                count.  The account should also be set up as for an=20
anonymous
                account.

           6.   If the user name is ``anonymous'' or ``ftp'', an=20
anonymous ftp=20
   		    account must be present in the password file (user ``ftp'').
                In this case the user is allowed to log in by specifying=
=20
any
                password (by convention an email address for the user=20=

should
                be used as the password).  When the -S option is set, al=
l
                transfers are logged as well.

     In the last case, ftpd takes special measures to restrict the=20
client's
     access privileges.  The server performs a chroot(2) to the home=20=

directory
     of the ``ftp'' user.  In order that system security is not breached=
,=20
it
     is recommended that the ``ftp'' subtree be constructed with care,=20=

follow-
     ing these rules:                                               =20=



I hope this gives you some more info.

Brent Rector

>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<

On 5/25/01, 7:15:13 PM, "RDWest Sr." <bsd-noob@home.com> wrote regarding=
=20
Re: Permissions Problem (need help):


> ----- Original Message -----
> From: "Brent Rector" <brent@justbrent.net>
> To: "RDWest" <bsd-noob@home.com>
> Sent: Friday, May 25, 2001 9:50 PM
> Subject: Re: Permissions Problem (need help)



> Hi There,

> I think what you really want to do to prevent FTPer's from wandering y=
our
> harddrive is too look at

> man ftpchroot

> Creat a text file in /etc called ftpchroot and add either the users an=
d
> or groups to it, and their particular root "/" directory will be
> restricted to their own particular home directory.

> -----------------------------------------------
> there is no listing on ftpchroot in my man pages
> i'm using the default ftp that came with standard install

> could you plz give me an example format?
> usr1 /usr/local/www/usr1
> usr2 /usr/local/www/usr2    ? ?

> tx


> -----------------------------------------------

> What the above file does, is restricts "defined" users or groups to th=
eir
> own little areas, it prevents them from wandering...

> I originally tried what you did, and it completely confused me for day=
s.

> I hope the above helps.

> Brent Rector
> justbrent.net

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010526.2272670>