Solved

Limited User Setup?

Posted on 1998-06-07
13
229 Views
Last Modified: 2010-04-21
I need to learn to set up an extremely limited user on my Unix Web server.  I host clients' Web sites and until now, I have told all my clients that they can't access the server directly.  Most clients don't want this.  They want me to do the technical and design work.  I have now had several requests for accounts that allow the users to have FTP and Telnet access.  How can I protect the rest of my server and yet allow these clients to access a specific directory on my server with FTP and Telnet?  I have a number of proprietary software programs and a database server running on this machine, so I REALLY DON'T want these people endangering the stability of the machine or any files except their own.
0
Comment
Question by:pagedesigns
  • 3
  • 3
  • 2
  • +4
13 Comments
 

Author Comment

by:pagedesigns
ID: 2007613
Edited text of question
0
 

Author Comment

by:pagedesigns
ID: 2007614
Edited text of question
0
 
LVL 5

Expert Comment

by:julio011597
ID: 2007615
On a Unix box, you can create an account for each customer. The customer gets assigned an "user", a "group", and a "home" directory. This done, your customers will be able to both telnet and ftp to the server, they'll find themselves in their home dir, and they'll be able to browse directories, read/write files, and run programs, according to their user/group and file permissions around the system.

This said, this is not a very common way to do things, unless you have very few trusted customers. The more common way is have an ftp server and let them access your system by ftp only. Ftp servers allow anyway set up of accounts and users' directories, but it avoids the security risks shell accounts open.

Regards, julio
0
 

Author Comment

by:pagedesigns
ID: 2007616
Julio,
Can you tell me how I would set up an account on FTP only?  My machine is set up with an FTP server, but I don't know how to give someone an "FTP only" account.  Is this a regular user account?
0
 
LVL 5

Expert Comment

by:julio011597
ID: 2007617
> Can you tell me how I would set up an account on FTP only? My machine is set up with an FTP server, but I don't know how to give someone an "FTP only" account.

This depends on your OS, so all i can add is: man ftpd

> Is this a regular user account?

As said, it is not. An "ftp account" allowes users to connect to your machine through ftp only (so, no telnet).

-julio
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 2007618
If your ftpd is an  wu-ftpd  you can add a lot of restriction to ftp-users, they even cannot leave their ftp-home-directory
For shell-accounts (telnet) see julio's answer.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 2

Expert Comment

by:seedy
ID: 2007619
If you want to let your clients to have a telenet access, consider making their login shell as restrictred shell (man rsh, man krsh).    This gives you a controlled environment.  Some unix flavors let you customize the environment by letting you create a directory of commands (/usr/rbin) that can be used under rsh.

If you want to have FTP access also, consider a commercial FTP server such as one from Netscape; there may be few shareware tools too.  Otherwise, you need to restrict the users by permissions, etc., as julio suggest.

A very crude method of letting users to have an FTP only account, edit the /etc/password file; change the last field against the user's entry to an invalid login shell. example:

seedy:*:1123:456:Seedy, my place, my ext:/usr/seedy:/bin/false

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 2007620
seedy, /bin/false in passwd may be ignored by some ftpd implementations :-(

0
 
LVL 2

Expert Comment

by:seedy
ID: 2007621
/bin/false to make the telnet fail.
0
 
LVL 5

Expert Comment

by:julio011597
ID: 2007622
An ISP i've worked for used to give /dev/null to their customers, in order to let them connect to the Internet via modem, but not be able to telnet to the server. Anyway, that desables ftp access, as well. The few customers who needed an ftp directory to upload their stuff to had the usual bin dir (owned by root), with a couple of commands into it.

This was on an SGI running IRIX.

-julio
0
 
LVL 1

Expert Comment

by:m4rc
ID: 2007623
i run slakware, and /bin/false disallows ftp access as well.

so, if i understand the situation so far, the easiest solution is to make a new group with less permissions than USER so maybe they cannot poke around the system, but can telnet and ftp files into their own home directories?


0
 
LVL 2

Expert Comment

by:squint
ID: 2007624
If a simple FTP only account is not secure enough, you can implement a "anonymous" style FTP account for your users, where users can only see files starting at that user's home directory.

The wu-ftpd FAQ covers this one fairly well...

    man ftpd
    man chroot

0
 
LVL 1

Accepted Solution

by:
dyp earned 150 total points
ID: 2007625
To make restricted telnet account try to use
rbash or so called restricted bash...
I do not remember in which version of bash it
appeared but in 2.02 it exists.
And it is enough to set up /bin/rbash instead
of /bin/bash and user will be unable to access files
in directories which is not lower then its home...
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

In tuning file systems on the Solaris Operating System, changing some parameters of a file system usually destroys the data on it. For instance, changing the cache segment block size in the volume of a T3 requires that you delete the existing volu…
Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now