Solved

Limited FTP only access

Posted on 2000-03-15
18
384 Views
Last Modified: 2013-12-15
How can I set up RedHat linux to allow a user FTP access only (i.e. no shell)? I also want to restrict this user to a single directory only. Any suggestions appreciated!
0
Comment
Question by:bergsy
  • 7
  • 4
  • 3
  • +3
18 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 2619801
The no shell part is easy, just give them a shell of /bin/false and add /bin/false to /etc/shells. How to restrict them to a single directory depends in part of what FTP server you're using? Which one do you have installed, wu-ftp?
0
 

Author Comment

by:bergsy
ID: 2619888
Thanks for the tip. I am using wu-ftp (Version wu-2.4.2-VR17(1).
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2619936
Okay, more info shortly.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2620790
Two man pages that you'll want to be familiar with are "man ftpd" and "man ftpaccess", oh yeah the definitive source of information about wu-ftp is at http://www.wu-ftpd.org/.

There's a cookbook example in the pages http://www.landfield.com/wu-ftpd/guest-howto.html#example
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2620791
Two man pages that you'll want to be familiar with are "man ftpd" and "man ftpaccess", oh yeah the definitive source of information about wu-ftp is at http://www.wu-ftpd.org/.

There's a cookbook example in the pages http://www.landfield.com/wu-ftpd/guest-howto.html#example
0
 
LVL 2

Expert Comment

by:bernardh
ID: 2621486
on your /etc/ftpaccess file add the line:

guestgroup ftp

then edit your /etc/passwd file:

guest:x:500:50:/home/guest/./directory_you_want/:/bin/ftponly

on this example i created a guest account under ftp group (GID=50), directory_you_want is the name of the particular directory ftp users can access , /bin/ftponly is a dummy shell.

0
 
LVL 40

Expert Comment

by:jlevie
ID: 2621554
There's a bit more to it than that, especially if you want the user to be able to list the files and see the real username & group rather than just the numeric values.
0
 

Author Comment

by:bergsy
ID: 2626955
I've followed the cookbook recipe, but because there is only one user I've used guestuser instead of guestgroup. As the user I can login fine and send and retrieve files.

I cannot do an ls. If I try, I get the following response:-

200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.

Notice that no files are given! Following the cookbook recipe, I created /bin /etc and /lib. I've copied ls into /bin, and a library file 'libc.so.5' into /lib. What should the permissions of /lib and this file be? Any idea why ls isn't working?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2627733
The perms of ls should be 111 and libc should be 444. If you do an ldd on /bin/ls I think you'll find that you also need ld-linux.so also.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 3

Expert Comment

by:jyu_88
ID: 2631518
if you don't have files in the chrooted guest's homedir, ls, will not show anything. You actually did a 'ls' succesful, it is just so happens that there is nothing there.
0
 
LVL 2

Expert Comment

by:mapc
ID: 2632996
I'd rather go for the chroot()ed environment.
Since duplicating the libc et al for all users is a nightmare, use the build-in ls instead.
This feature is available in *BSD variants for a long time, an it's in the wu-ftpd as well.
The downside is that you'll have to recompile it.
Recompile wu-ftpd with builtin ls, then, run it from inetd with -a flag (this will enable use of ftpaccess file)
in access file list your user group as "guestgroup"
(if I remember correctly), in any way, the file has comments in it and wu-ftpd comes with handy man pages.
Your version is old, I'd advise upgrade anyhow.
And chroot()ed ftp is way better than usual.
0
 

Author Comment

by:bergsy
ID: 2634983
Looking at the configure options, I am told that built in LS is experimental. Maybe I am paranoid, but just how reliable is it?
As for the LS as it stands, there are certainly files in that directory - it's just that LS is not showing them!
0
 
LVL 2

Expert Comment

by:mapc
ID: 2635052
I've used this option in FreeBSD (which has it's own ftpd) and it worked fine, I also used this with wu-ftpd 2.6.0 on solaris 2.7, and it worked fine as well.
I'm not sure what you're missing.
It may not give you all the whistles and bells like ls does, but, on the other hand it works, and it's really a relieve in administration.
Then again, if we're talking about one user, it may be simpler to copy libs and ls to make it work.
About paranoid- there's such switch as well :)
What ls isn't showing files? builtin?
regular one?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2635912
Yeah, I'd be hesitant to use an "experimental" feature in something like an ftp daemon for fear of opening a security hole. If we're gonna get into compiling things, why not just build a statically linked ls? I just did so to see how much touble it would be and it took me about 5 minutes using the sources from fileutils-4.0-8.src.rpm.

It's not a bad thing to have some statically linked utils around anyway, especially if you ever get into problems with the shared libs. most of the "desparation time" utils are in fileutils.
0
 
LVL 2

Expert Comment

by:mapc
ID: 2636365
It's expirimental since parsing of ls options and ls emulation is done in the ftpd. It can make a wrong sorting in the worst case. It's probably messing up with TZ settings. Read the code.
I think it's better for security.
Maintaining ls for each user if you have, say, ~500 is umm.. not pretty.
Even if these are just hardlinks.
You can alternatively use ftpd from bsd system.
There's:
http://www.eleves.ens.fr:8080/home/madore/programs/#prog_ftpd-BSD

Which is a port of openbsd ftpd.
I just don't know what features were removed.
0
 
LVL 2

Accepted Solution

by:
bernardh earned 50 total points
ID: 2636924
check out this ftp tips link:

link:http://www.redhat.com/support/docs/tips/FTP-Setup-Tips/FTP-Setup-Tips.html#toc1

it's probably one of the simplest yet effective way to tweak ftp.

0
 
LVL 12

Expert Comment

by:j2
ID: 2639542
I would like to cast my vote for "proftpd" (www.proftpd.org) which is more flexible then wu.ftpd in cases such as this. However it CAN be done with wu, and the link bernardh gave is quite useful.
0
 

Author Comment

by:bergsy
ID: 2644960
Some dilemma as to who should get the points here - it's between jlevie and bernardh. But the link given provides all the info needed, bar the dummy shell, so I suppose it's most useful. My LS problem was solved by copying everything in the anonoymous /home/ftp directory - I think either one of the libraries or the lack of a passwd file in etc. was causing the problem. Anyway, it all works now so thanks to all!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now