Subject: Re: Apache Permissions Best Practices?
From: Jon Reynolds (jonr@destar.net)
Date: Wed Nov 05 2003 - 13:23:08 AKST
On Wed, 2003-11-05 at 10:42, KSchneider wrote:
> Hi guys --
>
> I have a best practices question for permissions. I've got multiple secure
> ftp'ers accessing a site I'm about to launch. At the moment they are all
> using the same username for access, but I would like to keep them separate
> (for obvious reasons).
>
> So, my question: would it be better to create a new group for them and open
> up that group to writing to the directory and all of its subs (including
> the anonymous http user) rather than to give the group "users" write access
> to the directories? or is this a six of one, half dozen of the other kind
> of thing?
>
> What say you?
> Kate
>
Kate,
About a month or maybe two ago I posted a howto do an ftpchroot for
just this setup, I found it and pasted it in here for you.
Jon
On Thu, 2003-09-18 at 17:25, Jon Reynolds wrote:
> How to allow ftp access to specific directory
>
> and deny remote access for ftpuser.
>
>
> First, we need to setup a bogus shell so ftp users don't have access to the system from other types of programs e.g. ssh, telnet, etc.
>
> As the super user 'root' type this at the command line:
>
> echo '/bin/ftponly' >> /etc/shells
>
> Now we add our new ftponly shell. Do this by creating a dummy shell for
> the ftp user. To do this, open up your favorite editor and create a file
> with this text in it:
>
>
> !#/bin/sh -p
>
> echo “This account is currently not available”
>
> exit 1
>
>
>
>
> Save this file with the filename 'ftponly' and save it in the '/bin/
> directory.
>
> Now issue this command on our newly created ftponly shell:
>
>
> chmod +x /bin/ftponly
>
>
> Send the system 'init' the sighup signal so that it reads our changes:
>
>
> kill -sighup 1 ('init' always has the pid of 1)
>
>
> Now we add our ftp user using the 'adduser' command. Two things to note
> when adding your ftpuser. After it asks you to put in the new username
> and full username, answer the next two questions with the following
> answers:
>
> When it asks you what shell to use, answer with 'ftponly'.
>
>
> The next questions asks you to give the new user a home directory. Give
> the path to the directory that you want your ftpuser to have, e.g.
> /usr/local/ftpuser.
>
>
> Now all we need to do is add our new user to the '/etc/ftpchroot' file.
> To do this we simply echo the new user into the file.
>
>
> echo <username> >> /etc/ftpchroot
>
>
> After the echo command we issue the 'cat' command to the
> '/etc/ftpchroot/ file.
>
>
> cat /etc/ftpchroot
>
>
> Now our new user can log in and only access their "home" directory and
> it
>
> is seen as /. They cannot traverse our filesystem by issueing the
> command 'cd /' as it will only take them back to their ''home''
> directory as defined by the 'adduser' command. Also, our new ftpuser can
> only ftp into our system and has no other access to the system other
> than ftp.
>
> Jon
>
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
This archive was generated by hypermail 2a23 : Wed Nov 05 2003 - 13:23:08 AKST