[818] in linux-security and linux-alert archive
Re: [linux-security] wu.ftp, ftpaccess, and /bin/false shell
daemon@ATHENA.MIT.EDU (Vaughn Skinner)
Mon Jun 17 10:22:02 1996
Date: Sun, 16 Jun 1996 15:52:33 -0700
From: Vaughn Skinner <vaughn@solid.net>
To: sysgrad3@csc.albany.edu
CC: linux-security@tarsier.cv.nrao.edu
In-reply-to: <Pine.SUN.3.91.960606090941.2768A-100000@naomi.albany.edu>
(message from Richard Jones on Thu, 6 Jun 1996 09:20:20 -0400 (EDT))
This is not a linux-security issue.
[Mod: Agreed--I forwarded it anyway, mainly because this issue is of
potential interest to a large number of Linux users. --Jeff.]
I'm trying to use the wu.ftp ftpaccess file to setup a guestgroup whereby
users with listings in the /etc/passwd file can upload to certain
sections of a Linux-based web site. However, I'd like to deny these
people telnet access. In ftpaccess I use the line:
guestgroup ftponly
ftponly is defined as a group in /etc/group and its users have
/etc/passwd entries that look like:
ftponlyuser1:sladfkj:12:324:FTP ONLY:/usr/ftp/./user1s_ftp_dir/:bin/false
This is straight out of O'Reilly's Managing Internet Info. Services.
This doesn't work for me, though. With a shell set to /bin/false a user
is not allowed to ftp login. Is this a Linux thing? The user can ftp
login with /bin/bash or some other viable shell, but this opens up telnet
ability to the user (I can't use /etc/hosts.deny because it's too coarse).
Any insights into this situation, or other ideas on how to achieve
full ftp access with no telnet access is greatly appreciated.
This should do what you are trying to do:
Copy /bin/false to /bin/noshell.
Add a line in /etc/shells (so that /bin/noshell is a valid shell so ftp will
accept it):
/bin/noshell
Change the shell in the passwd example above to /bin/noshell
vaughn