*BSD News Article 90563


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.rmit.EDU.AU!news.unimelb.EDU.AU!munnari.OZ.AU!news.mel.connect.com.au!news.mel.aone.net.au!grumpy.fl.net.au!news.webspan.net!newsfeeds.sol.net!feed1.news.erols.com!super.zippo.com!zdc!szdc!news
From: david drexler <david@okcity.com>
Newsgroups: comp.unix.bsd.bsdi.misc
Subject: Re: wu-ftpd - limiting to ftp only?
Date: Thu, 06 Mar 1997 17:05:26 -0600
Organization: None
Lines: 32
Message-ID: <331F4DB6.75E3@okcity.com>
References: <MPG.d74e2d6161c64c89896fc@news.vnet.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 3.01Gold (Win95; I)
To: Ed Stone <estone@synernet.com>
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:6250

Ed Stone wrote:
> 
> Using BSDI 2.1 and wu-ftpd, I'm having a problem limiting "guests" to
> ftp only. I've read the doc, set up /bin/true for the "guests" shells.
> What else must be done to limit guests to ftp only?
> --
> -------------------------------
> Ed Stone
> estone@synernet.com
> http://www.synernet.com/estone
> -------------------------------

The shell entry in /etc/passwd is what controls it.  Whatever you use
must be listed in /etc/shells.  If you want users to be able to change
their own passwords, use /bin/passwd as the shell.

With wu-ftpd you can go a step farther and lock them into a directory
tree so they can't wander around in your system, download /etc/passwd,
etc.  Two additional steps:

(1) Create a directory for specifically these logins.  Under it you must
also have bin and shlib dirs, just as for anonymous ftp.  Files needed
in the bin directory are ls and pwd (copies, not links).  The only file
needed in the shlib directory is libc_s.2.1.0.  These directories and
files should be owned by root with mode 555.

(2) The login dir in /etc/passwd must be shown as /rootdir/./userdir --
the dot flags wu-ftpd to do a chroot. 

Beware the usual caveats about anon ftp.

David