RE: Giving Vhost users access


Subject: RE: Giving Vhost users access
From: Steve McGrane (steve@globaltap.com)
Date: Sat Dec 02 2000 - 11:30:52 MST


Make sure that /bin/false is in /etc/shells that would fool the FTP server
into thinking that /bin/false is a real shell. I went as far as to make a
bash script called /bin/ftponly that tells the user that shell access is
restricted:

#!/bin/sh
#
# ftponly shell
#
trap "/bin/echo Sorry; exit 0" 1 2 3 4 5 6 7 10 15
#
IFS=""
Admin=admin@server.com
System=`/bin/hostname`@`/bin/domainname`
#
/bin/echo
/bin/echo
"********************************************************************"
/bin/echo " You are NOT allowed interactive access to $System."
/bin/echo
/bin/echo " User accounts are restricted to ftp and web access."
/bin/echo
/bin/echo " Direct questions concerning this policy to $Admin."
/bin/echo
"********************************************************************"
/bin/echo
#
# C'ya
#
exit 0

-----Original Message-----
From: Gawain Reifsnyder [mailto:gawain@guitar.net]
Sent: Saturday, December 02, 2000 12:56 PM
To: yellowdog-general@lists.yellowdoglinux.com
Subject: Re: Giving Vhost users access

At 6:23 PM -0700 on 12/1/00, Neil Jolly wrote:

>What you want to do is create a chroot jail for your users. Here's a sample
>of what you need to add to your /etc/proftpd.conf:
>
>ServerName "ProFTPD"
>ServerType standalone
>DefaultServer on
>DefaultRoot ~ #This is what creates the chroot jail
>IdentLookups off #This speeds up your logins
>MaxLoginAttempts 3 #prevents people from forcing passwords
>
>#You can also use the limit command to deny certain commands to users.
>
> <Limit MKD DELE>
> DenyUser example
> </Limit>
>
>To complete the chroot jail assign the directory you want to restrict the
>users to as the users home directory. For more information see:
>http://www.proftpd.net/

Thanks for your help. I think I'm about 3/4 of the way there... I've
configured my DefaultRoot line like this:

DefaultRoot ~ !staff

so that any user not in the group "staff" is jailed into their home
directory. This part is working very well. The next step is denying
shell access. I've found that setting a user's shell to /bin/false or
/dev/null in /etc/passwd also denys them access to the ftp server,
even if RequireValidShell is set to false.

Am I still missing something?

Gawain



This archive was generated by hypermail 2a24 : Sat Dec 02 2000 - 11:36:43 MST