Solved

Limited FTP only access

Posted on 2000-03-15
18
392 Views
Last Modified: 2013-12-15
How can I set up RedHat linux to allow a user FTP access only (i.e. no shell)? I also want to restrict this user to a single directory only. Any suggestions appreciated!
0
Comment
Question by:bergsy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
  • +3
18 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 2619801
The no shell part is easy, just give them a shell of /bin/false and add /bin/false to /etc/shells. How to restrict them to a single directory depends in part of what FTP server you're using? Which one do you have installed, wu-ftp?
0
 

Author Comment

by:bergsy
ID: 2619888
Thanks for the tip. I am using wu-ftp (Version wu-2.4.2-VR17(1).
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2619936
Okay, more info shortly.
0
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

 
LVL 40

Expert Comment

by:jlevie
ID: 2620790
Two man pages that you'll want to be familiar with are "man ftpd" and "man ftpaccess", oh yeah the definitive source of information about wu-ftp is at http://www.wu-ftpd.org/.

There's a cookbook example in the pages http://www.landfield.com/wu-ftpd/guest-howto.html#example
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2620791
Two man pages that you'll want to be familiar with are "man ftpd" and "man ftpaccess", oh yeah the definitive source of information about wu-ftp is at http://www.wu-ftpd.org/.

There's a cookbook example in the pages http://www.landfield.com/wu-ftpd/guest-howto.html#example
0
 
LVL 2

Expert Comment

by:bernardh
ID: 2621486
on your /etc/ftpaccess file add the line:

guestgroup ftp

then edit your /etc/passwd file:

guest:x:500:50:/home/guest/./directory_you_want/:/bin/ftponly

on this example i created a guest account under ftp group (GID=50), directory_you_want is the name of the particular directory ftp users can access , /bin/ftponly is a dummy shell.

0
 
LVL 40

Expert Comment

by:jlevie
ID: 2621554
There's a bit more to it than that, especially if you want the user to be able to list the files and see the real username & group rather than just the numeric values.
0
 

Author Comment

by:bergsy
ID: 2626955
I've followed the cookbook recipe, but because there is only one user I've used guestuser instead of guestgroup. As the user I can login fine and send and retrieve files.

I cannot do an ls. If I try, I get the following response:-

200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.

Notice that no files are given! Following the cookbook recipe, I created /bin /etc and /lib. I've copied ls into /bin, and a library file 'libc.so.5' into /lib. What should the permissions of /lib and this file be? Any idea why ls isn't working?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2627733
The perms of ls should be 111 and libc should be 444. If you do an ldd on /bin/ls I think you'll find that you also need ld-linux.so also.
0
 
LVL 3

Expert Comment

by:jyu_88
ID: 2631518
if you don't have files in the chrooted guest's homedir, ls, will not show anything. You actually did a 'ls' succesful, it is just so happens that there is nothing there.
0
 
LVL 2

Expert Comment

by:mapc
ID: 2632996
I'd rather go for the chroot()ed environment.
Since duplicating the libc et al for all users is a nightmare, use the build-in ls instead.
This feature is available in *BSD variants for a long time, an it's in the wu-ftpd as well.
The downside is that you'll have to recompile it.
Recompile wu-ftpd with builtin ls, then, run it from inetd with -a flag (this will enable use of ftpaccess file)
in access file list your user group as "guestgroup"
(if I remember correctly), in any way, the file has comments in it and wu-ftpd comes with handy man pages.
Your version is old, I'd advise upgrade anyhow.
And chroot()ed ftp is way better than usual.
0
 

Author Comment

by:bergsy
ID: 2634983
Looking at the configure options, I am told that built in LS is experimental. Maybe I am paranoid, but just how reliable is it?
As for the LS as it stands, there are certainly files in that directory - it's just that LS is not showing them!
0
 
LVL 2

Expert Comment

by:mapc
ID: 2635052
I've used this option in FreeBSD (which has it's own ftpd) and it worked fine, I also used this with wu-ftpd 2.6.0 on solaris 2.7, and it worked fine as well.
I'm not sure what you're missing.
It may not give you all the whistles and bells like ls does, but, on the other hand it works, and it's really a relieve in administration.
Then again, if we're talking about one user, it may be simpler to copy libs and ls to make it work.
About paranoid- there's such switch as well :)
What ls isn't showing files? builtin?
regular one?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2635912
Yeah, I'd be hesitant to use an "experimental" feature in something like an ftp daemon for fear of opening a security hole. If we're gonna get into compiling things, why not just build a statically linked ls? I just did so to see how much touble it would be and it took me about 5 minutes using the sources from fileutils-4.0-8.src.rpm.

It's not a bad thing to have some statically linked utils around anyway, especially if you ever get into problems with the shared libs. most of the "desparation time" utils are in fileutils.
0
 
LVL 2

Expert Comment

by:mapc
ID: 2636365
It's expirimental since parsing of ls options and ls emulation is done in the ftpd. It can make a wrong sorting in the worst case. It's probably messing up with TZ settings. Read the code.
I think it's better for security.
Maintaining ls for each user if you have, say, ~500 is umm.. not pretty.
Even if these are just hardlinks.
You can alternatively use ftpd from bsd system.
There's:
http://www.eleves.ens.fr:8080/home/madore/programs/#prog_ftpd-BSD

Which is a port of openbsd ftpd.
I just don't know what features were removed.
0
 
LVL 2

Accepted Solution

by:
bernardh earned 50 total points
ID: 2636924
check out this ftp tips link:

link:http://www.redhat.com/support/docs/tips/FTP-Setup-Tips/FTP-Setup-Tips.html#toc1

it's probably one of the simplest yet effective way to tweak ftp.

0
 
LVL 12

Expert Comment

by:j2
ID: 2639542
I would like to cast my vote for "proftpd" (www.proftpd.org) which is more flexible then wu.ftpd in cases such as this. However it CAN be done with wu, and the link bernardh gave is quite useful.
0
 

Author Comment

by:bergsy
ID: 2644960
Some dilemma as to who should get the points here - it's between jlevie and bernardh. But the link given provides all the info needed, bar the dummy shell, so I suppose it's most useful. My LS problem was solved by copying everything in the anonoymous /home/ftp directory - I think either one of the libraries or the lack of a passwd file in etc. was causing the problem. Anyway, it all works now so thanks to all!
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to demonstrate how we can use conditional statements using Python.
Fine Tune your automatic Updates for Ubuntu / Debian
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question