[818] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] wu.ftp, ftpaccess, and /bin/false shell

daemon@ATHENA.MIT.EDU (Vaughn Skinner)
Mon Jun 17 10:22:02 1996

Date: Sun, 16 Jun 1996 15:52:33 -0700
From: Vaughn Skinner <vaughn@solid.net>
To: sysgrad3@csc.albany.edu
CC: linux-security@tarsier.cv.nrao.edu
In-reply-to: <Pine.SUN.3.91.960606090941.2768A-100000@naomi.albany.edu>
	(message from Richard Jones on Thu, 6 Jun 1996 09:20:20 -0400 (EDT))


This is not a linux-security issue.

[Mod: Agreed--I forwarded it anyway, mainly because this issue is of
potential interest to a large number of Linux users.  --Jeff.]

     I'm trying to use the wu.ftp ftpaccess file to setup a guestgroup whereby
   users with listings in the /etc/passwd file can upload to certain 
   sections of a Linux-based web site.  However, I'd like to deny these 
   people telnet access.  In ftpaccess I use the line:

   guestgroup ftponly 

   ftponly is defined as a group in /etc/group and its users have 
   /etc/passwd entries that look like:

   ftponlyuser1:sladfkj:12:324:FTP ONLY:/usr/ftp/./user1s_ftp_dir/:bin/false

   This is straight out of O'Reilly's Managing Internet Info. Services.  
   This doesn't work for me, though.  With a shell set to /bin/false a user 
   is not allowed to ftp login.  Is this a Linux thing? The user can ftp 
   login with /bin/bash or some other viable shell, but this opens up telnet 
   ability to the user (I can't use /etc/hosts.deny because it's too coarse).
      Any insights into this situation, or other ideas on how to achieve 
   full ftp access with no telnet access is greatly appreciated. 

This should do what you are trying to do:

Copy /bin/false to /bin/noshell.

Add a line in /etc/shells (so that /bin/noshell is a valid shell so ftp will
accept it):

/bin/noshell

Change the shell in the passwd example above to /bin/noshell


vaughn




home help back first fref pref prev next nref lref last post