HPE Community
Operating System - Linux
1751738 Members
5788 Online
108781 Solutions
New Discussion юеВ

Re: ftp user

 
Tarek_1
Frequent Advisor

тАО07-24-2002 11:00 PM

тАО07-24-2002 11:00 PM

ftp user

Hi there,
i want to create a user that can only ftp from a remote unix machine to linux, nothing else.
How can this be done?
Using Redhat 7.2.
Thanks in advance..
Tarek
0 Kudos
Reply
6 REPLIES 6
Stuart Browne
Honored Contributor

тАО07-24-2002 11:34 PM

тАО07-24-2002 11:34 PM

Re: ftp user

The way I've done this in the past (probably not the best way) was to create a small script ('ftpsh') which just had 'echo "You arn't allowed to log in"'; exit' in it, and used that as a shell for the user.

This fooled the FTP server into thinking they had a shell available (as you can't use /bin/false as the wu-ftpd doesn't allow an FTP login), and doesn't allow them to log in via telnet etc.
One long-haired git at your service...
0 Kudos
Reply
benoit Bruckert
Honored Contributor

тАО07-25-2002 12:03 AM

тАО07-25-2002 12:03 AM

Re: ftp user

HI Tarek,
You can create a chroot directory where ftp will work, and create the passwd file in this new environnement.
Or You can use another a specific software which manage it's own users ! (may be proftpd ?)

hope this help
BEnoit
Une application mal pans├йe aboutit ├а une usine ├а gaze (GHG)
0 Kudos
Reply
Tarek_1
Frequent Advisor

тАО07-25-2002 06:07 AM

тАО07-25-2002 06:07 AM

Re: ftp user

I haven't understood your answers very well.
I don't want to create scripts or some stuff like this, just add a user with ftp permissions. I think this can be done, probably by putting as user shell nologin or something similar but i don't know exactly how.
Thanks again
0 Kudos
Reply
K.C. Chan
Trusted Contributor

тАО07-25-2002 10:41 AM

тАО07-25-2002 10:41 AM

Re: ftp user

Tarek,
yes this is possible, basically make sure a false shell is listed in /etc/shells and when you create a user just make sure they have the false shell, e.g; /etc/ftponly shell.

after that you have to enable wu-ftpd in /etc/xinetd.d dir.

Then at some base dir (root dir for your ftpusers), make sure dir bin and etc are created. Under etc you will have two file group and passwd. The format for group is:
groupname:x:gid:

for passwd is:
username:*:uid:gid:::

The content of bin dir are:
ls command and other command you want your ftpusers to use. Under RH you should be able to just copy the /bin/ls to here provided it was compiled statically. I hope this helps.
Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
Tarek_1
Frequent Advisor

тАО07-29-2002 12:05 AM

тАО07-29-2002 12:05 AM

Re: ftp user

I haven't any false shell in /etc/shells file, do i have to create any?? How? Just creating an empty file?
I haven't understood very well the two directories i have to create, bin and etc. As I undertood, I have to create the two directories under root's home dir, right?
But why? And i have to create one more passwd and group file?
0 Kudos
Reply
K.C. Chan
Trusted Contributor

тАО07-29-2002 06:55 AM

тАО07-29-2002 06:55 AM

Re: ftp user

ok, for the shell, let say you wan to use /etc/ftponly as the false shell, just add an entry in /etc/shell for /etc/ftponly; the reason it's call a false shell is bec. it really doesn't exist and there user can not telnet or ssh in directly; they can only ftp into your server.

For the etc and bin dir, you need them bec. of security purpose, all the files under bin are suppose to statically compile and all files under etc only have entries for ftpusers. These dir should be located under your home ftp servers bec. when user ftp into your box they cannot change dir above your ftp home dir and therefore they do not have access to /etc/group, /etc/passwd, and ls. e.g: let say you make /home/ftpusers as your home dir for all your ftpusers, then /home/ftpusers/pub as the pub dir, when ftp user log into your box they will see /home/ftpusers as '/' and they can't cd obove /home/ftpusers.
Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.