Re: [ftp] ftpadmin user, private directories, incoming and not much more. . .
On 18/11/99 Neil D. Roberts wrote:
This is my first mail here, so hi to all. . .I have a little
problem, lack of knowledge is what I call it. Anyway, I have a public
ftp server, and I need to create a special account for ftp administering
(ftpadmin). This account can only be to accessed via ftp, to put files
and take files off. The user can not acces via anything else, only ftp
access.
if your using potato this is easy to setup with pam, I add:
auth required pam_listfile.so item=user sense=deny
file=/etc/deny.shell onerr=succeed
to all interactive shell services and any other service i do not want
such a user to access. this way he is allowed into FTP but all other
access attempts fail. if you do not use potato probably the best bet
is using falselogin add it to /etc/shells and make it the login shell
for that user, he will still be able to login to things like telnet
and ssh, but instead of getting a shell he just gets a message saying
go away and is logged out. (I actually do both for good measure)
the other thing you could do that you may prefer is add
/usr/bin/passwd to /etc/shells and set his login shell to that, then
he can ssh (or *bleak* telnet) in and he immediately gets a prompt to
change his passwd as soon as he does the connection is closed. you
probably want him to change his passwd very often anyway since ftp
has this annoying tendency to send passwords flying across the
network in clear.
I also need to find out how to create the incoming directory in such
a manner that users can place files there, but not delete. I also want
to create a directory called private, where only a ftpadmin can access
it to modify and place things. Do I ask for much ? I 'm not sure, but I
sure am stuck. . . .Thanks in advance for the help !!!
just add the sticky bit to the incoming directory chmod +t incoming
should do it, this will let him only delete files that he owns (just
like /tmp) if you want to allow him to upload but not see what is in
the directory then make the permissions he falls under (either group
or world) mode 3 (write and execute only)
if you use wu-ftpd (probably not a good idea unfortunately since its
so good at giving out root accounts) you get quite a bit more control
over what who and do what on incoming directories such as forbidding
the upload of directories (common way ftpd root exploits must be
performed) and configuring so that files uploaded have the owners and
permissions changed so the uploader no longer has access. and other
such niceties.
if you use the plain ftpd with debian add your user to the /etc/ftpchroot file.
create a bin, etc and lib directories in his home directory
copy /bin/ls to ~ftpadmin/bin/ then chmod -R 111 ~ftpadmin/bin/
copy /lib/ld-linux.so.2 (may be different number of your system) to
~ftpadmin/lib/ and chmod 555 ~ftpadmin/lib/ld-linux.so.2
copy /lib/libc.so.6, /lib/libnss_files-X-X-X.so to there as well
(where X.X.X is the version number on your system), chmod 444 them
cd ~ftpadmin/lib ; ln -s libnss_files-X.X.X.so libnss_files.so.1 and
ln -s libnss_files-X.X.X.so libnss_files.so.2.
chmod 111 ~ftpadmin/lib
now create a group file in ~ftpadmin/etc in the format root:*:0: just
like the real /etc/group except do not show the members, this file is
only used by ls to show real group names instead of gids, so only add
groups to this file that you want to show up as a real name (you
could make a fake name if you wanted too.) do the same for
~ftpadmin/etc/passwd make sure there are no real passwords in that
file, it should look like: root:*:0:0:::
only add users to this file that you want to show up properly in the
listings, its probably best to only add a couple rather then your
entire system's /etc/passwd so you do not give away all the account
names on your system. you do not have to use the same names as the
real accounts, just the same ids, and any name you want, this file is
only used by ls nothing else. do not add the gecos feild or home
directorys to this file as it gives to much information about your
system away.
after you do that chmod 444 ~ftpadmin/etc/* and chmod 111 ~ftpadmin/etc
mkdir ~ftpadmin/pub and do a chmod 555 ~ftpadmin and add the incoming
directory.
that should do it, if you use wu-ftpd and want to take advantage of
some of its guest user features read the ftpaccess man page as its
pretty good, but well test it as its a little buggy in its config
parsing... (and i cannot recommend wu-ftpd or proftpd anymore as
they have just too many security problems)
Best Regards,
Ethan Benson
To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/
Reply to: