Re: Only an ftp account

From: Igor Roshchin (str@giganda.komkon.org)
Date: 10/13/01 

Date: Fri, 12 Oct 2001 21:45:15 -0400 (EDT)
From: Igor Roshchin <str@giganda.komkon.org>
To: mudman@r181172.resnet.ucsb.edu, rsimmons@wlcg.com

> From owner-freebsd-security@FreeBSD.ORG Fri Oct 12 13:46:09 2001
> Date: Fri, 12 Oct 2001 13:45:28 -0400 (EDT)
> From: Rob Simmons <rsimmons@wlcg.com>
> To: Dave <mudman@r181172.resnet.ucsb.edu>
> Cc: <freebsd-security@FreeBSD.ORG>
> Subject: Re: Only an ftp account
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> pw useradd -n <name> -w no -s /sbin/nologin
>
> You may also want to add that user to /etc/ftpchroot which will chroot
> them to their home directory. You should also make sure that
> /sbin/nologin is in /etc/shells.
>
> Robert Simmons
> Systems Administrator
> http://www.wlcg.com/
>
> On Fri, 12 Oct 2001, Dave wrote:
>
> >
> > How would I be able to give an account to someone where they can only
> > login and use FTP? Shell interpeters, sendmail, and virtually all the
> > other parts of the system should not be at their disposal.
> >
> > How does one accomplish the creation of such a 'ftp-locked' account?
> >
> > I've heard some discussion about jails, but man jail(1) and jail(2) only
> > talk about freezing a process, so I think this might not be the solution I
> > need.
> >
> > Thanks.
> >
> >

Let me just point out that just changing the shell to /sbin/nologin
or any other simliar shell will only prevent the user from
telnet/rlogin/ssh logins.
This, however, will not prevent that user from receiving e-mail,
if the sendmail is running, especially, if the shell is in /etc/shells
(I think the defualt configuration of sendmail checks for the valid
shell in /etc/shells).
Also, it doesn't prevent the user from using a pop-client,
if the popd is enabled.

Having an ability to receive an e-mail and to download files via ftp
provides the user with capability of running most if not all
commands on the computer (just think what one can use in .forward).
This is what very often is forgotten.

The way around that is probably to use a chrooted environment +
an empty .forward and user's home directory both owned by root +
some special arrangements to prevent the user from using popd/imapd services...
+ ....
However, don't take this as an advice of a complete set of measures.

Hope, this helps...

Igor

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: concurrent users in one account
    ... The only part that needs to be copied to each account ... >> app configuration level, not at the user configuration level. ... None of what I said was meant to be used with chroot... ... needs a shell, ...
    (comp.os.linux.misc)
  • Summary. FTP account
    ... We now have the ftp account we always wanted ... I have created a new user account on this solaris 8 server. ... With the shell set to /usr/bin/false I can not get past the ...
    (SunManagers)
  • Re: 2 FTP Questions
    ... account potentially open. ... If there is a vulnerability then it is the FTP daemon process ... that will be compromised and the access that the attacker gets to your ... Chroot greatly limits the potential for such attacks. ...
    (uk.comp.sys.mac)
  • Re: Freeze accounts
    ... Setting their login shell to /bin/false (and later, ... block all account access. ... And traditionally the ftp ...
    (Debian-User)
  • Re: Only an ftp account
    ... and this user won't be able login on shell while he/she'll be able to use ... Subject: Only an ftp account ...
    (FreeBSD-Security)