Re: ftp access

From: Q Yai QQ (riki@maiser.unila.ac.id)
Date: 02/28/01 

Date: Wed, 28 Feb 2001 12:49:54 +0700 (JAVT)
From: Q Yai QQ <riki@maiser.unila.ac.id>
To: Carroll Kong <damascus@home.com>

hai guys,...
i try to do chpass user's shell,...
to change his shell to /sbin/nologin

it work,...

but,.when i get access via ftp,....

the server not allow me,...just for a second i get in,.. then,. disconnect
very fast,...

what's wrong,...

thank's for u'r respon,.

On Wed, 28 Feb 2001, Carroll Kong wrote:

> At 05:47 AM 2/28/01 +0100, Roelof Osinga wrote:
> >Rob Simmons wrote:
> > >
> > > /sbin/nologin as the user's shell. You also have to add this shell to
> > > /etc/shells
> >
> >Alas, no.
> >
> >Not on 4.2 anyway. Just today - ok, technically yesterday, but who's
> >counting? - I realized that the client was right after all. He could
> >not log in indeed. Due to /sbin/nologin.
> >
> >When using regular ftpd. Using ProFTPd no problem.
> >
> >Ah, as a matter of fact, I was using inetd. Haven't tried
> >daemon mode with 4.2 yet. Who knows? There might be hope, still.
> >
> >Roelof
>
> That is odd. The reason why ftpd does not work is because........ man ftpd
> shows
>
> 4. The user must have a standard shell returned by
> getusershell(3).
>
> So, man getusershell shows
>
> The getusershell() function returns a pointer to a legal user shell as
> defined by the system manager in the file /etc/shells. If /etc/shells is
> unreadable or does not exist, getusershell() behaves as if /bin/sh and
> /bin/csh were listed in the file.
>
> This is very odd, unless I am forgetting something I did, I JUST
> did this with a client two days ago on 4.2-STABLE. Telnet results in "not
> authorized" or something like that, and ftpd lets them in happily. Same
> user name and all. Please look it over, I am outright positive it
> works! (ok, maybe 99.99999% sure). What is the error message? User
> denied? Check man ftpd for that list of "reasons why ftpd would tell your
> user to go away".
>
> -Carroll Kong
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

>>>>>>>>>>>>>>>>>*****<<<<<<<<<<<<<<<<<
riki@unila.ac.id
visit my homepage and sign my guestbook
http://unilanet.unila.ac.id/~qq
---------------------------------------
---------------------------------------
                   &
                __& &__
               // \\

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: ftp user restrictions
    ... The ftpd on your system may not support this. ... To restrict access to a shell, create their account with an invalid ... DeeDee, don't press that button! ...
    (comp.unix.admin)
  • Re: ftp user restrictions
    ... The ftpd on your system may not support this. ... To restrict access to a shell, create their account with an invalid ... DeeDee, don't press that button! ...
    (comp.unix.misc)
  • Re: A push in the right direction
    ... You'll have to construct a special filesystem with ... If you have this level of restriction on shell users, ... Why not just give them ftp-only access (hint: SUN's ftpd ... DeeDee, don't press that button! ...
    (comp.unix.solaris)
  • Re: ftp access
    ... Roelof Osinga wrote: ... >> The getusershell() function returns a pointer to a legal user ... >> authorized" or something like that, and ftpd lets them in happily. ... saying that your cat /etc/shells | grep nologin is going to return nothing. ...
    (FreeBSD-Security)
  • Re: How to add to list of allowed shells?
    ... > the NIS domain machine? ... The Solaris 10 man page for getusershell seems clear on this. ... Perhaps it would be better to keep your shell as /bin/sh and only exec ... Chris ...
    (comp.unix.solaris)