topic Re: ftp user in Operating System - Linux

ftp user

Tarek_1 — Thu, 25 Jul 2002 06:00:52 GMT

Hi there,
i want to create a user that can only ftp from a remote unix machine to linux, nothing else.
How can this be done?
Using Redhat 7.2.
Thanks in advance..
Tarek

Re: ftp user

Stuart Browne — Thu, 25 Jul 2002 06:34:53 GMT

The way I've done this in the past (probably not the best way) was to create a small script ('ftpsh') which just had 'echo "You arn't allowed to log in"'; exit' in it, and used that as a shell for the user.

This fooled the FTP server into thinking they had a shell available (as you can't use /bin/false as the wu-ftpd doesn't allow an FTP login), and doesn't allow them to log in via telnet etc.

Re: ftp user

benoit Bruckert — Thu, 25 Jul 2002 07:03:52 GMT

HI Tarek,
You can create a chroot directory where ftp will work, and create the passwd file in this new environnement.
Or You can use another a specific software which manage it's own users ! (may be proftpd ?)

hope this help
BEnoit

Re: ftp user

Tarek_1 — Thu, 25 Jul 2002 13:07:29 GMT

I haven't understood your answers very well.
I don't want to create scripts or some stuff like this, just add a user with ftp permissions. I think this can be done, probably by putting as user shell nologin or something similar but i don't know exactly how.
Thanks again

Re: ftp user

K.C. Chan — Thu, 25 Jul 2002 17:41:25 GMT

Tarek,
yes this is possible, basically make sure a false shell is listed in /etc/shells and when you create a user just make sure they have the false shell, e.g; /etc/ftponly shell.

after that you have to enable wu-ftpd in /etc/xinetd.d dir.

Then at some base dir (root dir for your ftpusers), make sure dir bin and etc are created. Under etc you will have two file group and passwd. The format for group is:
groupname:x:gid:

for passwd is:
username:*:uid:gid:::

The content of bin dir are:
ls command and other command you want your ftpusers to use. Under RH you should be able to just copy the /bin/ls to here provided it was compiled statically. I hope this helps.

Re: ftp user

Tarek_1 — Mon, 29 Jul 2002 07:05:53 GMT

I haven't any false shell in /etc/shells file, do i have to create any?? How? Just creating an empty file?
I haven't understood very well the two directories i have to create, bin and etc. As I undertood, I have to create the two directories under root's home dir, right?
But why? And i have to create one more passwd and group file?

Re: ftp user

K.C. Chan — Mon, 29 Jul 2002 13:55:28 GMT

ok, for the shell, let say you wan to use /etc/ftponly as the false shell, just add an entry in /etc/shell for /etc/ftponly; the reason it's call a false shell is bec. it really doesn't exist and there user can not telnet or ssh in directly; they can only ftp into your server.

For the etc and bin dir, you need them bec. of security purpose, all the files under bin are suppose to statically compile and all files under etc only have entries for ftpusers. These dir should be located under your home ftp servers bec. when user ftp into your box they cannot change dir above your ftp home dir and therefore they do not have access to /etc/group, /etc/passwd, and ls. e.g: let say you make /home/ftpusers as your home dir for all your ftpusers, then /home/ftpusers/pub as the pub dir, when ftp user log into your box they will see /home/ftpusers as '/' and they can't cd obove /home/ftpusers.