You can do this with proftpd. There is a DefaultRoot directive that will
chroot to a dir on a per-group basis. I have the same situation with a
group of web publishers. The first step was to define a virtual host (this
particular server is restricted to internal use only). Then each user is
added to a new group that will have access to the particular directory.
When the user logs in, the server detects which group the user is in and
chroots to the DefaultRoot for that group.
I have included part of the proftpd.conf file below. If you are using NIS,
set <PersistentPasswd off>. The umask setting allows a head content
developer (who is added to every publishing group) to make changes if
needed. AllowOverwrite enables files to be written. By setting
<RequireValidShell off>, I am able to maintain telnet access to the
server for adminstrative purposes (our users don't have a valid shell on
this machine).
Hopefully this will get you going. You may need to spend some time in the
docs to get the sense of what the directives are doing. If you still have
questions after that, either post to the list or email me directly. I read
the digest, so if you post to the list, cc me as well.
--- begin conf ------
<VirtualHost 1.2.3.4>
ServerName "Publishing Server"
Umask 002
AllowOverwrite on
RequireValidShell off
# add defaults for web authors here. Order is signicant-the server takes
# the first match. The main author has the top, departments are below.
# The default matches anyone who is not a member of a authoring group
# and logs them into the anonymous ftp dir. The order of the directory
# configs is not significant.
DefaultRoot /a/devel eauth
...
DefaultRoot /ftp
<Directory /a/devel>
GroupOwner eauth
HideGroup root
</Directory>
...
</VirtualHost>
---- end conf ------
Ernest Johanson
Web Systems Administrator
Fuller Theological Seminary
> lena wrote:
> >
> > Hello!
> >
> > I am a newbie with administrating my own Debian server, and got problems
> > that got to do with security.
> >
> > I have 20 different users that got both ftp and telnet access to the server
> > /using it for web publishing/. I would like to add they got access to their
> > root directory and all directories below it, but not to be able to go
> > towards the \.
> >
> > Also, they shouldnt have telnet access.
> >
> > I have looked through all documentation I have been able to find, and asked
> > everywhere, and it seems to stay unsolved.
