• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 398
  • Last Modified:

Limited FTP only access

How can I set up RedHat linux to allow a user FTP access only (i.e. no shell)? I also want to restrict this user to a single directory only. Any suggestions appreciated!
0
bergsy
Asked:
bergsy
  • 7
  • 4
  • 3
  • +3
1 Solution
 
jlevieCommented:
The no shell part is easy, just give them a shell of /bin/false and add /bin/false to /etc/shells. How to restrict them to a single directory depends in part of what FTP server you're using? Which one do you have installed, wu-ftp?
0
 
bergsyAuthor Commented:
Thanks for the tip. I am using wu-ftp (Version wu-2.4.2-VR17(1).
0
 
jlevieCommented:
Okay, more info shortly.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
jlevieCommented:
Two man pages that you'll want to be familiar with are "man ftpd" and "man ftpaccess", oh yeah the definitive source of information about wu-ftp is at http://www.wu-ftpd.org/.

There's a cookbook example in the pages http://www.landfield.com/wu-ftpd/guest-howto.html#example
0
 
jlevieCommented:
Two man pages that you'll want to be familiar with are "man ftpd" and "man ftpaccess", oh yeah the definitive source of information about wu-ftp is at http://www.wu-ftpd.org/.

There's a cookbook example in the pages http://www.landfield.com/wu-ftpd/guest-howto.html#example
0
 
bernardhCommented:
on your /etc/ftpaccess file add the line:

guestgroup ftp

then edit your /etc/passwd file:

guest:x:500:50:/home/guest/./directory_you_want/:/bin/ftponly

on this example i created a guest account under ftp group (GID=50), directory_you_want is the name of the particular directory ftp users can access , /bin/ftponly is a dummy shell.

0
 
jlevieCommented:
There's a bit more to it than that, especially if you want the user to be able to list the files and see the real username & group rather than just the numeric values.
0
 
bergsyAuthor Commented:
I've followed the cookbook recipe, but because there is only one user I've used guestuser instead of guestgroup. As the user I can login fine and send and retrieve files.

I cannot do an ls. If I try, I get the following response:-

200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.

Notice that no files are given! Following the cookbook recipe, I created /bin /etc and /lib. I've copied ls into /bin, and a library file 'libc.so.5' into /lib. What should the permissions of /lib and this file be? Any idea why ls isn't working?
0
 
jlevieCommented:
The perms of ls should be 111 and libc should be 444. If you do an ldd on /bin/ls I think you'll find that you also need ld-linux.so also.
0
 
jyu_88Commented:
if you don't have files in the chrooted guest's homedir, ls, will not show anything. You actually did a 'ls' succesful, it is just so happens that there is nothing there.
0
 
mapcCommented:
I'd rather go for the chroot()ed environment.
Since duplicating the libc et al for all users is a nightmare, use the build-in ls instead.
This feature is available in *BSD variants for a long time, an it's in the wu-ftpd as well.
The downside is that you'll have to recompile it.
Recompile wu-ftpd with builtin ls, then, run it from inetd with -a flag (this will enable use of ftpaccess file)
in access file list your user group as "guestgroup"
(if I remember correctly), in any way, the file has comments in it and wu-ftpd comes with handy man pages.
Your version is old, I'd advise upgrade anyhow.
And chroot()ed ftp is way better than usual.
0
 
bergsyAuthor Commented:
Looking at the configure options, I am told that built in LS is experimental. Maybe I am paranoid, but just how reliable is it?
As for the LS as it stands, there are certainly files in that directory - it's just that LS is not showing them!
0
 
mapcCommented:
I've used this option in FreeBSD (which has it's own ftpd) and it worked fine, I also used this with wu-ftpd 2.6.0 on solaris 2.7, and it worked fine as well.
I'm not sure what you're missing.
It may not give you all the whistles and bells like ls does, but, on the other hand it works, and it's really a relieve in administration.
Then again, if we're talking about one user, it may be simpler to copy libs and ls to make it work.
About paranoid- there's such switch as well :)
What ls isn't showing files? builtin?
regular one?
0
 
jlevieCommented:
Yeah, I'd be hesitant to use an "experimental" feature in something like an ftp daemon for fear of opening a security hole. If we're gonna get into compiling things, why not just build a statically linked ls? I just did so to see how much touble it would be and it took me about 5 minutes using the sources from fileutils-4.0-8.src.rpm.

It's not a bad thing to have some statically linked utils around anyway, especially if you ever get into problems with the shared libs. most of the "desparation time" utils are in fileutils.
0
 
mapcCommented:
It's expirimental since parsing of ls options and ls emulation is done in the ftpd. It can make a wrong sorting in the worst case. It's probably messing up with TZ settings. Read the code.
I think it's better for security.
Maintaining ls for each user if you have, say, ~500 is umm.. not pretty.
Even if these are just hardlinks.
You can alternatively use ftpd from bsd system.
There's:
http://www.eleves.ens.fr:8080/home/madore/programs/#prog_ftpd-BSD

Which is a port of openbsd ftpd.
I just don't know what features were removed.
0
 
bernardhCommented:
check out this ftp tips link:

link:http://www.redhat.com/support/docs/tips/FTP-Setup-Tips/FTP-Setup-Tips.html#toc1

it's probably one of the simplest yet effective way to tweak ftp.

0
 
j2Commented:
I would like to cast my vote for "proftpd" (www.proftpd.org) which is more flexible then wu.ftpd in cases such as this. However it CAN be done with wu, and the link bernardh gave is quite useful.
0
 
bergsyAuthor Commented:
Some dilemma as to who should get the points here - it's between jlevie and bernardh. But the link given provides all the info needed, bar the dummy shell, so I suppose it's most useful. My LS problem was solved by copying everything in the anonoymous /home/ftp directory - I think either one of the libraries or the lack of a passwd file in etc. was causing the problem. Anyway, it all works now so thanks to all!
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 7
  • 4
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now