The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
FreeBSD Support
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Previous Message  |  Next Message 
 FTP with no shell access - Discovered the easy way
Author: el_kab0ng 
Date:   27-07-00 15:45

Even the most experienced of BSD users that I know were not able to answer what turned out to be a simple question...so in an effort for full disclosure, I wanted to share with you what I learned.

What am I going on about you ask? Well, here was my dilema. I wanted to start virtually hosting websites for some friends of mine, and in an effort to keep good security practices, I didn't want to issue shell accounts to every user I hosted. The only access the users would really ever need would be FTP only.

Something as simple as restricting access for users to FTP caused quite a stir among the upper echeleons...but over time I learned how. Instead of installing fancy FTPd software which might in and of itself be a security bug, I decided to keep what comes installed by default on Free BSD 4.0. I received all sorts of suggestions like "creating an FTP group and adding folks to that" or "make sure they aren't in the FTP users file" (the one that would otherwise DENY them to my FTP). Instead here was my solution:

Free BSD has an /sbin/nologin feature that you can place as user accounts shell login, which in essence tells the user when they shell in that their account has been suspended and immediately logs them out. Well, in my opinion it's a little well known fact that this "shell" is NOT in the /etc/shells file...meaning as far as FTP is concerned, it's not a valid shell, therefore anyone who HAS that shell in the /etc/passwd file will get denied access to FTP as well. Catching on yet?

I simply added the /sbin/nologin to the /etc/shells file as a valid shell. Now users CAN FTP into my box, but cannot shell in. End result? Along with a few FTP security rules, I can now virtually host all the sites I want without the nasty potential for root compromise via a shell login. Something so simple and yet so difficult for people at times.

I don't know if this area has been explored yet, but I know in all my quests for knowledge, I never once came across this explanation. I hope it helps all you lost souls out there like myself in the long run.

 Reply To This Message  |  Forum List  |  Flat View   Newer Topic  |  Older Topic 

 Topics Author  Date
 FTP with no shell access - Discovered the easy way   new
el_kab0ng 27-07-00 15:45 
 RE: FTP with no shell access - Discovered the easy   new
Philip 27-07-00 18:29 
 RE: FTP with no shell access - Discovered the easy   new
el_kab0ng 27-07-00 19:29 
 RE: FTP with no shell access - Discovered the easy   new
el_kab0ng 28-07-00 04:13 
 RE: FTP with no shell access - Discovered the easy   new
Philip 28-07-00 04:26 
 RE: FTP with no shell access - Discovered the easy   new
el_kab0ng 28-07-00 09:20 
 RE: FTP with no shell access - Discovered the easy   new
Dan Langille 28-07-00 13:30 
 RE: FTP with no shell access - Discovered the easy   new
el_kab0ng 28-07-00 14:38 
 RE: FTP with no shell access - Discovered the easy   new
Philip 29-07-00 18:51 
 RE: FTP with no shell access - Discovered the easy   new
Kanji T Bates 30-07-00 16:12 
 RE: FTP with no shell access - Discovered the easy   new
el_kab0ng 31-07-00 22:55 
 RE: FTP with no shell access - Discovered the easy   new
el_kab0ng 31-07-00 22:57 
 RE: FTP with no shell access - Discovered the easy   new
Dan Langille 27-07-00 23:13 
 RE: FTP with no shell access - Discovered the easy   new
Kanji T Bates 30-07-00 06:09 
 RE: FTP with no shell access - Discovered the easy   new
el_kab0ng 31-07-00 22:52 
 RE: FTP with no shell access - Discovered the easy   new
el_kab0ng 08-08-00 07:14 
 RE: FTP with no shell access - Discovered the easy   new
el_kab0ng 08-08-00 08:43 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org