Solved

Limited User Setup?

Posted on 1998-06-07
13
230 Views
Last Modified: 2010-04-21
I need to learn to set up an extremely limited user on my Unix Web server.  I host clients' Web sites and until now, I have told all my clients that they can't access the server directly.  Most clients don't want this.  They want me to do the technical and design work.  I have now had several requests for accounts that allow the users to have FTP and Telnet access.  How can I protect the rest of my server and yet allow these clients to access a specific directory on my server with FTP and Telnet?  I have a number of proprietary software programs and a database server running on this machine, so I REALLY DON'T want these people endangering the stability of the machine or any files except their own.
0
Comment
Question by:pagedesigns
  • 3
  • 3
  • 2
  • +4
13 Comments
 

Author Comment

by:pagedesigns
ID: 2007613
Edited text of question
0
 

Author Comment

by:pagedesigns
ID: 2007614
Edited text of question
0
 
LVL 5

Expert Comment

by:julio011597
ID: 2007615
On a Unix box, you can create an account for each customer. The customer gets assigned an "user", a "group", and a "home" directory. This done, your customers will be able to both telnet and ftp to the server, they'll find themselves in their home dir, and they'll be able to browse directories, read/write files, and run programs, according to their user/group and file permissions around the system.

This said, this is not a very common way to do things, unless you have very few trusted customers. The more common way is have an ftp server and let them access your system by ftp only. Ftp servers allow anyway set up of accounts and users' directories, but it avoids the security risks shell accounts open.

Regards, julio
0
 

Author Comment

by:pagedesigns
ID: 2007616
Julio,
Can you tell me how I would set up an account on FTP only?  My machine is set up with an FTP server, but I don't know how to give someone an "FTP only" account.  Is this a regular user account?
0
 
LVL 5

Expert Comment

by:julio011597
ID: 2007617
> Can you tell me how I would set up an account on FTP only? My machine is set up with an FTP server, but I don't know how to give someone an "FTP only" account.

This depends on your OS, so all i can add is: man ftpd

> Is this a regular user account?

As said, it is not. An "ftp account" allowes users to connect to your machine through ftp only (so, no telnet).

-julio
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 2007618
If your ftpd is an  wu-ftpd  you can add a lot of restriction to ftp-users, they even cannot leave their ftp-home-directory
For shell-accounts (telnet) see julio's answer.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 2

Expert Comment

by:seedy
ID: 2007619
If you want to let your clients to have a telenet access, consider making their login shell as restrictred shell (man rsh, man krsh).    This gives you a controlled environment.  Some unix flavors let you customize the environment by letting you create a directory of commands (/usr/rbin) that can be used under rsh.

If you want to have FTP access also, consider a commercial FTP server such as one from Netscape; there may be few shareware tools too.  Otherwise, you need to restrict the users by permissions, etc., as julio suggest.

A very crude method of letting users to have an FTP only account, edit the /etc/password file; change the last field against the user's entry to an invalid login shell. example:

seedy:*:1123:456:Seedy, my place, my ext:/usr/seedy:/bin/false

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 2007620
seedy, /bin/false in passwd may be ignored by some ftpd implementations :-(

0
 
LVL 2

Expert Comment

by:seedy
ID: 2007621
/bin/false to make the telnet fail.
0
 
LVL 5

Expert Comment

by:julio011597
ID: 2007622
An ISP i've worked for used to give /dev/null to their customers, in order to let them connect to the Internet via modem, but not be able to telnet to the server. Anyway, that desables ftp access, as well. The few customers who needed an ftp directory to upload their stuff to had the usual bin dir (owned by root), with a couple of commands into it.

This was on an SGI running IRIX.

-julio
0
 
LVL 1

Expert Comment

by:m4rc
ID: 2007623
i run slakware, and /bin/false disallows ftp access as well.

so, if i understand the situation so far, the easiest solution is to make a new group with less permissions than USER so maybe they cannot poke around the system, but can telnet and ftp files into their own home directories?


0
 
LVL 2

Expert Comment

by:squint
ID: 2007624
If a simple FTP only account is not secure enough, you can implement a "anonymous" style FTP account for your users, where users can only see files starting at that user's home directory.

The wu-ftpd FAQ covers this one fairly well...

    man ftpd
    man chroot

0
 
LVL 1

Accepted Solution

by:
dyp earned 150 total points
ID: 2007625
To make restricted telnet account try to use
rbash or so called restricted bash...
I do not remember in which version of bash it
appeared but in 2.02 it exists.
And it is enough to set up /bin/rbash instead
of /bin/bash and user will be unable to access files
in directories which is not lower then its home...
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In tuning file systems on the Solaris Operating System, changing some parameters of a file system usually destroys the data on it. For instance, changing the cache segment block size in the volume of a T3 requires that you delete the existing volu…
Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now