Hi Ethan; Thanks for the help. . . I use proftpd under slink, but I'll try and apply this to it :)
Ethan Benson wrote: > On 18/11/99 Neil D. Roberts wrote: > > > This is my first mail here, so hi to all. . .I have a little > >problem, lack of knowledge is what I call it. Anyway, I have a public > >ftp server, and I need to create a special account for ftp administering > >(ftpadmin). This account can only be to accessed via ftp, to put files > >and take files off. The user can not acces via anything else, only ftp > >access. > > if your using potato this is easy to setup with pam, I add: > > auth required pam_listfile.so item=user sense=deny > file=/etc/deny.shell onerr=succeed > > to all interactive shell services and any other service i do not want > such a user to access. this way he is allowed into FTP but all other > access attempts fail. if you do not use potato probably the best bet > is using falselogin add it to /etc/shells and make it the login shell > for that user, he will still be able to login to things like telnet > and ssh, but instead of getting a shell he just gets a message saying > go away and is logged out. (I actually do both for good measure) > > the other thing you could do that you may prefer is add > /usr/bin/passwd to /etc/shells and set his login shell to that, then > he can ssh (or *bleak* telnet) in and he immediately gets a prompt to > change his passwd as soon as he does the connection is closed. you > probably want him to change his passwd very often anyway since ftp > has this annoying tendency to send passwords flying across the > network in clear. > > > I also need to find out how to create the incoming directory in such > >a manner that users can place files there, but not delete. I also want > >to create a directory called private, where only a ftpadmin can access > >it to modify and place things. Do I ask for much ? I 'm not sure, but I > >sure am stuck. . . .Thanks in advance for the help !!! > > just add the sticky bit to the incoming directory chmod +t incoming > should do it, this will let him only delete files that he owns (just > like /tmp) if you want to allow him to upload but not see what is in > the directory then make the permissions he falls under (either group > or world) mode 3 (write and execute only) > > if you use wu-ftpd (probably not a good idea unfortunately since its > so good at giving out root accounts) you get quite a bit more control > over what who and do what on incoming directories such as forbidding > the upload of directories (common way ftpd root exploits must be > performed) and configuring so that files uploaded have the owners and > permissions changed so the uploader no longer has access. and other > such niceties. > > if you use the plain ftpd with debian add your user to the /etc/ftpchroot > file. > > create a bin, etc and lib directories in his home directory > > copy /bin/ls to ~ftpadmin/bin/ then chmod -R 111 ~ftpadmin/bin/ > > copy /lib/ld-linux.so.2 (may be different number of your system) to > ~ftpadmin/lib/ and chmod 555 ~ftpadmin/lib/ld-linux.so.2 > > copy /lib/libc.so.6, /lib/libnss_files-X-X-X.so to there as well > (where X.X.X is the version number on your system), chmod 444 them > > cd ~ftpadmin/lib ; ln -s libnss_files-X.X.X.so libnss_files.so.1 and > ln -s libnss_files-X.X.X.so libnss_files.so.2. > > chmod 111 ~ftpadmin/lib > > now create a group file in ~ftpadmin/etc in the format root:*:0: just > like the real /etc/group except do not show the members, this file is > only used by ls to show real group names instead of gids, so only add > groups to this file that you want to show up as a real name (you > could make a fake name if you wanted too.) do the same for > ~ftpadmin/etc/passwd make sure there are no real passwords in that > file, it should look like: root:*:0:0::: > > only add users to this file that you want to show up properly in the > listings, its probably best to only add a couple rather then your > entire system's /etc/passwd so you do not give away all the account > names on your system. you do not have to use the same names as the > real accounts, just the same ids, and any name you want, this file is > only used by ls nothing else. do not add the gecos feild or home > directorys to this file as it gives to much information about your > system away. > > after you do that chmod 444 ~ftpadmin/etc/* and chmod 111 ~ftpadmin/etc > > mkdir ~ftpadmin/pub and do a chmod 555 ~ftpadmin and add the incoming > directory. > > that should do it, if you use wu-ftpd and want to take advantage of > some of its guest user features read the ftpaccess man page as its > pretty good, but well test it as its a little buggy in its config > parsing... (and i cannot recommend wu-ftpd or proftpd anymore as > they have just too many security problems) > > Best Regards, > Ethan Benson > To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/ > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null -- ***************************************************************** Neil David John Roberts - Lander World Communications Server S.L. Calle Rufino Gonzalez, N°15 - 4° Planta - Madrid, Spain - 28037 Telf : 91 789 77 10 ; Fax : 91 304 20 44 ; Mobile 656 377 661 E-Mail - [EMAIL PROTECTED] ; [EMAIL PROTECTED] ; [EMAIL PROTECTED] Web Sites : http://www.lander.es ; http://www.lander.es/~koala/ For Urgent Contact Phone 940 331 331 And Leave Message For # NR10 AOL Instant Messenger:Screen Name: WP00817 09:30-19:00 GMT +0200 PGP:Name:Neil D. Roberts <[EMAIL PROTECTED]>;SignerKeyId:0xD29489C0 Type: DH/DSS ; Size:2048/1024 ; Expires:Never ; Cipher:CAST ***************************************************************** Bend the facts to fit the conclusion. It's easier that way.
