FTP Chroot in the damn body of the email! SHEESH!


Subject: FTP Chroot in the damn body of the email! SHEESH!
From: Jon Reynolds (jonr@destar.net)
Date: Thu Sep 18 2003 - 17:25:00 AKDT


How to allow ftp access to specific directory

and deny remote access for ftpuser.

First, we need to setup a bogus shell so ftp users don't have access to the system from other types of programs e.g. ssh, telnet, etc.

As the super user 'root' type this at the command line:

echo '/bin/ftponly' >> /etc/shells

Now we add our new ftponly shell. Do this by creating a dummy shell for
the ftp user. To do this, open up your favorite editor and create a file
with this text in it:

!#/bin/sh -p

echo “This account is currently not available”

exit 1

Save this file with the filename 'ftponly' and save it in the '/bin/
directory.

Now issue this command on our newly created ftponly shell:

chmod +x /bin/ftponly

Send the system 'init' the sighup signal so that it reads our changes:

kill -sighup 1 ('init' always has the pid of 1)

Now we add our ftp user using the 'adduser' command. Two things to note
when adding your ftpuser. After it asks you to put in the new username
and full username, answer the next two questions with the following
answers:

When it asks you what shell to use, answer with 'ftponly'.

The next questions asks you to give the new user a home directory. Give
the path to the directory that you want your ftpuser to have, e.g.
/usr/local/ftpuser.

Now all we need to do is add our new user to the '/etc/ftpchroot' file.
To do this we simply echo the new user into the file.

echo <username> >> /etc/ftpchroot

After the echo command we issue the 'cat' command to the
'/etc/ftpchroot/ file.

cat /etc/ftpchroot

Now our new user can log in and only access their "home" directory and
it

is seen as /. They cannot traverse our filesystem by issueing the
command 'cd /' as it will only take them back to their ''home''
directory as defined by the 'adduser' command. Also, our new ftpuser can
only ftp into our system and has no other access to the system other
than ftp.

Jon

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.



This archive was generated by hypermail 2a23 : Thu Sep 18 2003 - 17:31:29 AKDT