• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 239
  • Last Modified:

Limited User Setup?

I need to learn to set up an extremely limited user on my Unix Web server.  I host clients' Web sites and until now, I have told all my clients that they can't access the server directly.  Most clients don't want this.  They want me to do the technical and design work.  I have now had several requests for accounts that allow the users to have FTP and Telnet access.  How can I protect the rest of my server and yet allow these clients to access a specific directory on my server with FTP and Telnet?  I have a number of proprietary software programs and a database server running on this machine, so I REALLY DON'T want these people endangering the stability of the machine or any files except their own.
0
pagedesigns
Asked:
pagedesigns
  • 3
  • 3
  • 2
  • +4
1 Solution
 
pagedesignsAuthor Commented:
Edited text of question
0
 
pagedesignsAuthor Commented:
Edited text of question
0
 
julio011597Commented:
On a Unix box, you can create an account for each customer. The customer gets assigned an "user", a "group", and a "home" directory. This done, your customers will be able to both telnet and ftp to the server, they'll find themselves in their home dir, and they'll be able to browse directories, read/write files, and run programs, according to their user/group and file permissions around the system.

This said, this is not a very common way to do things, unless you have very few trusted customers. The more common way is have an ftp server and let them access your system by ftp only. Ftp servers allow anyway set up of accounts and users' directories, but it avoids the security risks shell accounts open.

Regards, julio
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
pagedesignsAuthor Commented:
Julio,
Can you tell me how I would set up an account on FTP only?  My machine is set up with an FTP server, but I don't know how to give someone an "FTP only" account.  Is this a regular user account?
0
 
julio011597Commented:
> Can you tell me how I would set up an account on FTP only? My machine is set up with an FTP server, but I don't know how to give someone an "FTP only" account.

This depends on your OS, so all i can add is: man ftpd

> Is this a regular user account?

As said, it is not. An "ftp account" allowes users to connect to your machine through ftp only (so, no telnet).

-julio
0
 
ahoffmannCommented:
If your ftpd is an  wu-ftpd  you can add a lot of restriction to ftp-users, they even cannot leave their ftp-home-directory
For shell-accounts (telnet) see julio's answer.
0
 
seedyCommented:
If you want to let your clients to have a telenet access, consider making their login shell as restrictred shell (man rsh, man krsh).    This gives you a controlled environment.  Some unix flavors let you customize the environment by letting you create a directory of commands (/usr/rbin) that can be used under rsh.

If you want to have FTP access also, consider a commercial FTP server such as one from Netscape; there may be few shareware tools too.  Otherwise, you need to restrict the users by permissions, etc., as julio suggest.

A very crude method of letting users to have an FTP only account, edit the /etc/password file; change the last field against the user's entry to an invalid login shell. example:

seedy:*:1123:456:Seedy, my place, my ext:/usr/seedy:/bin/false

0
 
ahoffmannCommented:
seedy, /bin/false in passwd may be ignored by some ftpd implementations :-(

0
 
seedyCommented:
/bin/false to make the telnet fail.
0
 
julio011597Commented:
An ISP i've worked for used to give /dev/null to their customers, in order to let them connect to the Internet via modem, but not be able to telnet to the server. Anyway, that desables ftp access, as well. The few customers who needed an ftp directory to upload their stuff to had the usual bin dir (owned by root), with a couple of commands into it.

This was on an SGI running IRIX.

-julio
0
 
m4rcCommented:
i run slakware, and /bin/false disallows ftp access as well.

so, if i understand the situation so far, the easiest solution is to make a new group with less permissions than USER so maybe they cannot poke around the system, but can telnet and ftp files into their own home directories?


0
 
squintCommented:
If a simple FTP only account is not secure enough, you can implement a "anonymous" style FTP account for your users, where users can only see files starting at that user's home directory.

The wu-ftpd FAQ covers this one fairly well...

    man ftpd
    man chroot

0
 
dypCommented:
To make restricted telnet account try to use
rbash or so called restricted bash...
I do not remember in which version of bash it
appeared but in 2.02 it exists.
And it is enough to set up /bin/rbash instead
of /bin/bash and user will be unable to access files
in directories which is not lower then its home...
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 3
  • 3
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now