The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
FreeBSD Support
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Newer Topic  |  Older Topic 
 FTP with no shell access - Discovered the easy way
Author: el_kab0ng 
Date:   27-07-00 15:45

Even the most experienced of BSD users that I know were not able to answer what turned out to be a simple question...so in an effort for full disclosure, I wanted to share with you what I learned.

What am I going on about you ask? Well, here was my dilema. I wanted to start virtually hosting websites for some friends of mine, and in an effort to keep good security practices, I didn't want to issue shell accounts to every user I hosted. The only access the users would really ever need would be FTP only.

Something as simple as restricting access for users to FTP caused quite a stir among the upper echeleons...but over time I learned how. Instead of installing fancy FTPd software which might in and of itself be a security bug, I decided to keep what comes installed by default on Free BSD 4.0. I received all sorts of suggestions like "creating an FTP group and adding folks to that" or "make sure they aren't in the FTP users file" (the one that would otherwise DENY them to my FTP). Instead here was my solution:

Free BSD has an /sbin/nologin feature that you can place as user accounts shell login, which in essence tells the user when they shell in that their account has been suspended and immediately logs them out. Well, in my opinion it's a little well known fact that this "shell" is NOT in the /etc/shells file...meaning as far as FTP is concerned, it's not a valid shell, therefore anyone who HAS that shell in the /etc/passwd file will get denied access to FTP as well. Catching on yet?

I simply added the /sbin/nologin to the /etc/shells file as a valid shell. Now users CAN FTP into my box, but cannot shell in. End result? Along with a few FTP security rules, I can now virtually host all the sites I want without the nasty potential for root compromise via a shell login. Something so simple and yet so difficult for people at times.

I don't know if this area has been explored yet, but I know in all my quests for knowledge, I never once came across this explanation. I hope it helps all you lost souls out there like myself in the long run.

Reply To This Message
 
 RE: FTP with no shell access - Discovered the easy
Author: Philip 
Date:   27-07-00 18:29

Another nice thing is that you can change their path to something like:

/usr/home/joe/./public_html

(notice the /./) and upon login the ftp daemon will put them in /usr/home/joe/public_html, and will not let them "cd out of" /usr/home/joe. Some additional files need to be copied to /usr/home/joe (the same stuff that's in your anonymous ftp directory) -- well, not all can be copied, some have to be made, but once you have the script it's easy.

What's cool about this is they can ftp in, but they can't go anywhere other than where you want them to go.

It should work. It worked with wu-ftpd a couple of years ago...

Reply To This Message
 
 RE: FTP with no shell access - Discovered the easy
Author: el_kab0ng 
Date:   27-07-00 19:29

Doesn't chroot do the same thing? Limiting the user ID's root shell to be contained within their directory?

Reply To This Message
 
 RE: FTP with no shell access - Discovered the easy
Author: Dan Langille 
Date:   27-07-00 23:13

This feature is mentioned in <a href="http://www.freebsddiary.org/nologin.html">http://www.freebsddiary.org/nologin.html</a>

Reply To This Message
 
 RE: FTP with no shell access - Discovered the easy
Author: el_kab0ng 
Date:   28-07-00 04:13

I stand corrected. After further research I have found that chroot does not effect the way FTP users get restricted to their home directory. Is there anyway that that can be done without installing another FTP package? I want to limit the user to a directory restricted for their usage. ie not be able to bounce up a dir.

Reply To This Message
 
 RE: FTP with no shell access - Discovered the easy
Author: Philip 
Date:   28-07-00 04:26

man ftpd

A ways down it talks about what you need to do for anonymous ftp areas (where it talks about what directories/files need to exists).

Set the user's home directory (in /etc/passwd) to:

/usr/home/joe/./somedir

When they login ftpd will do a chroot to /usr/home/joe and put them in /usr/home/joe/somedir. You need to copy those files over so that ls and friends can work (or the man page says you can recompile ftpd to use an internal ls).

-philip

Reply To This Message
 
 RE: FTP with no shell access - Discovered the easy
Author: el_kab0ng 
Date:   28-07-00 09:20

What version of Free BSD are you gathering this info from?

Reply To This Message
 
 RE: FTP with no shell access - Discovered the easy
Author: Dan Langille 
Date:   28-07-00 13:30

You can recompile ftpd so it contains the ls command. see

<a href="http://www.freebsddiary.org/ftpd-ls.html">http://www.freebsddiary.org/ftpd-ls.html</a>

Reply To This Message
 
 RE: FTP with no shell access - Discovered the easy
Author: el_kab0ng 
Date:   28-07-00 14:38

Is it possible to see an ftpchroot file example? I have scoured my box in an effort to find an example file to no avail. Is this due to the fact I am running 4.0?

Reply To This Message
 
 RE: FTP with no shell access - Discovered the easy
Author: Philip 
Date:   29-07-00 18:51

The easiest way to do this is to use /stand/sysinstall to setup anonymous ftp. Then go look in that directory for all the required files. Tar them up so you have them forever (I would edit the password files though and remove almost all of it.. no reason to allow people to see what logins you have). Then delete the ftp user and it's home directory to turn off anonymous ftp.

Then create another user with a home dir of say /usr/home/joe/./pub . Untar the files in /usr/home/joe. When he ftp's in, joe shouldn't be able to get outside of /usr/home/joe

(I haven't actually tried this, but this is how it's supposed to work). do a "man ftpd" (i did it on 3.4)

-philip

Reply To This Message
 
 RE: FTP with no shell access - Discovered the easy
Author: Kanji T Bates 
Date:   30-07-00 06:09

What do users use your box for? If you allow them to use CGIs, then you may not be a secure as you think because something like 'chpass -s /some/new/shell' run through a CGI would defeat /sbin/nologin.

Reply To This Message
 
 RE: FTP with no shell access - Discovered the easy
Author: Kanji T Bates 
Date:   30-07-00 16:12

I think You're confusing wu-ftpd with the standard FBSD ftpd: the latter doesn't support the . notation, so you can only chroot users to their _HOME_ directories via /etc/ftpchroot or the boolean ftpchroot flag in their login class (see login.conf).

Reply To This Message
 
 RE: FTP with no shell access - Discovered the easy
Author: el_kab0ng 
Date:   31-07-00 22:52

I trust the users that I am setting up to use FTP for their websites, but I don't want shell access for these users. These folks are not malicious, but their friends might be. No system is totally secure, but making it a little more difficult for people to break things can sometimes ward off would-be threats. I have plans to dis-allow CGI unless it's been reviewed before posting to limit the aforementioned threat as well.

Reply To This Message
 
 RE: FTP with no shell access - Discovered the easy
Author: el_kab0ng 
Date:   31-07-00 22:55

Actually....the ./ format does work by intial opening of the FTP account to the directory specified, but it does not keep them from bouncing up levels. Aside from that, I'm assuming the /etc/ftpchroot file is something created manually? By default that file does not exist on 4.0 RELEASE.

Reply To This Message
 
 RE: FTP with no shell access - Discovered the easy
Author: el_kab0ng 
Date:   31-07-00 22:57

After reviewing the documentation on creating an FTP with chroot, it states that the ls command is in fact built into 4.0, hence I assume the reason for no /etc/ftpchroot file?

Reply To This Message
 
 RE: FTP with no shell access - Discovered the easy
Author: el_kab0ng 
Date:   08-08-00 07:14

You guys are gonna freak when I show you the link to a concise way to get the job done....

http://www.wildwebsites.com/support/locking-users-directory.htm

Yes...thats right...a porn site had the information....Not FreeBSD.org...not Freebsddiary.org....but a skank porn site....how's that for irony?

I am about to try this method...and will let you know the success or failure...

Reply To This Message
 
 RE: FTP with no shell access - Discovered the easy
Author: el_kab0ng 
Date:   08-08-00 08:43

Two things I have learned tonite...

1. Copy the /sbin/no-login to something restrictive to ftp...as in /sbin/ftp-nologin and place that in /etc/shells.
2. Create /etc/ftpchroot with nothing in there but the users you want restricted to the directory thats assigned in /etc/passwd.

When this is done, you will have users with no shell, yet RESTRICTED ftp access without worrying about bounces.

This all applies to Free BSD 4.0 with the /bin/ls already compiled into the ftpd...

When all else fails, go here...scratch the porn site posted earlier...that url sucked...

http://x73.deja.com/%5BST_cam=search.yahoo.none.slot%5D/getdoc.xp?AN=525803111&CONTEXT=965715057.226164744&hitnum=79



Reply To This Message
 Forum List  |  Threaded View   Newer Topic  |  Older Topic 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org