Re: [ftp] ftpadmin user, private directories, incoming and notmuch more. . .
Hi Ethan;
Thanks for the help. . . I use proftpd under slink, but I'll try and apply this to it
:)
Ethan Benson wrote:
> On 18/11/99 Neil D. Roberts wrote:
>
> > This is my first mail here, so hi to all. . .I have a little
> >problem, lack of knowledge is what I call it. Anyway, I have a public
> >ftp server, and I need to create a special account for ftp administering
> >(ftpadmin). This account can only be to accessed via ftp, to put files
> >and take files off. The user can not acces via anything else, only ftp
> >access.
>
> if your using potato this is easy to setup with pam, I add:
>
> auth required pam_listfile.so item=user sense=deny
> file=/etc/deny.shell onerr=succeed
>
> to all interactive shell services and any other service i do not want
> such a user to access. this way he is allowed into FTP but all other
> access attempts fail. if you do not use potato probably the best bet
> is using falselogin add it to /etc/shells and make it the login shell
> for that user, he will still be able to login to things like telnet
> and ssh, but instead of getting a shell he just gets a message saying
> go away and is logged out. (I actually do both for good measure)
>
> the other thing you could do that you may prefer is add
> /usr/bin/passwd to /etc/shells and set his login shell to that, then
> he can ssh (or *bleak* telnet) in and he immediately gets a prompt to
> change his passwd as soon as he does the connection is closed. you
> probably want him to change his passwd very often anyway since ftp
> has this annoying tendency to send passwords flying across the
> network in clear.
>
> > I also need to find out how to create the incoming directory in such
> >a manner that users can place files there, but not delete. I also want
> >to create a directory called private, where only a ftpadmin can access
> >it to modify and place things. Do I ask for much ? I 'm not sure, but I
> >sure am stuck. . . .Thanks in advance for the help !!!
>
> just add the sticky bit to the incoming directory chmod +t incoming
> should do it, this will let him only delete files that he owns (just
> like /tmp) if you want to allow him to upload but not see what is in
> the directory then make the permissions he falls under (either group
> or world) mode 3 (write and execute only)
>
> if you use wu-ftpd (probably not a good idea unfortunately since its
> so good at giving out root accounts) you get quite a bit more control
> over what who and do what on incoming directories such as forbidding
> the upload of directories (common way ftpd root exploits must be
> performed) and configuring so that files uploaded have the owners and
> permissions changed so the uploader no longer has access. and other
> such niceties.
>
> if you use the plain ftpd with debian add your user to the /etc/ftpchroot file.
>
> create a bin, etc and lib directories in his home directory
>
> copy /bin/ls to ~ftpadmin/bin/ then chmod -R 111 ~ftpadmin/bin/
>
> copy /lib/ld-linux.so.2 (may be different number of your system) to
> ~ftpadmin/lib/ and chmod 555 ~ftpadmin/lib/ld-linux.so.2
>
> copy /lib/libc.so.6, /lib/libnss_files-X-X-X.so to there as well
> (where X.X.X is the version number on your system), chmod 444 them
>
> cd ~ftpadmin/lib ; ln -s libnss_files-X.X.X.so libnss_files.so.1 and
> ln -s libnss_files-X.X.X.so libnss_files.so.2.
>
> chmod 111 ~ftpadmin/lib
>
> now create a group file in ~ftpadmin/etc in the format root:*:0: just
> like the real /etc/group except do not show the members, this file is
> only used by ls to show real group names instead of gids, so only add
> groups to this file that you want to show up as a real name (you
> could make a fake name if you wanted too.) do the same for
> ~ftpadmin/etc/passwd make sure there are no real passwords in that
> file, it should look like: root:*:0:0:::
>
> only add users to this file that you want to show up properly in the
> listings, its probably best to only add a couple rather then your
> entire system's /etc/passwd so you do not give away all the account
> names on your system. you do not have to use the same names as the
> real accounts, just the same ids, and any name you want, this file is
> only used by ls nothing else. do not add the gecos feild or home
> directorys to this file as it gives to much information about your
> system away.
>
> after you do that chmod 444 ~ftpadmin/etc/* and chmod 111 ~ftpadmin/etc
>
> mkdir ~ftpadmin/pub and do a chmod 555 ~ftpadmin and add the incoming
> directory.
>
> that should do it, if you use wu-ftpd and want to take advantage of
> some of its guest user features read the ftpaccess man page as its
> pretty good, but well test it as its a little buggy in its config
> parsing... (and i cannot recommend wu-ftpd or proftpd anymore as
> they have just too many security problems)
>
> Best Regards,
> Ethan Benson
> To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/
>
> --
> Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
--
*****************************************************************
Neil David John Roberts - Lander World Communications Server S.L.
Calle Rufino Gonzalez, N°15 - 4° Planta - Madrid, Spain - 28037
Telf : 91 789 77 10 ; Fax : 91 304 20 44 ; Mobile 656 377 661
E-Mail - koala@lander.es ; WP00817@bigfoot.com ; redhat@lander.es
Web Sites : http://www.lander.es ; http://www.lander.es/~koala/
For Urgent Contact Phone 940 331 331 And Leave Message For # NR10
AOL Instant Messenger:Screen Name: WP00817 09:30-19:00 GMT +0200
PGP:Name:Neil D. Roberts <koala@lander.es>;SignerKeyId:0xD29489C0
Type: DH/DSS ; Size:2048/1024 ; Expires:Never ; Cipher:CAST
*****************************************************************
Bend the facts to fit the conclusion. It's easier that way.
Reply to: