[826] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] wu.ftp, ftpaccess, and /bin/false shell

daemon@ATHENA.MIT.EDU (Yury Shevchuk)
Wed Jun 19 14:43:54 1996

Date: Mon, 17 Jun 96 09:09 +0400
To: linux-security@tarsier.cv.nrao.edu,
        Richard Jones <sysgrad3@csc.albany.edu>
In-Reply-To: <Pine.SUN.3.91.960606090941.2768A-100000@naomi.albany.edu>;
    from Richard Jones at Thu, 6 Jun 1996 09:20:20 -0400 (EDT)
From: sizif@botik.ru (Yury Shevchuk)

Hello,

In message <Pine.SUN.3.91.960606090941.2768A-100000@naomi.albany.edu>
    Richard Jones writes:

>  I'm trying to use the wu.ftp ftpaccess file to setup a guestgroup whereby
>users with listings in the /etc/passwd file can upload to certain 
>sections of a Linux-based web site.  However, I'd like to deny these 
>people telnet access.  In ftpaccess I use the line:
>
>guestgroup ftponly 
>
>ftponly is defined as a group in /etc/group and its users have 
>/etc/passwd entries that look like:
>
>ftponlyuser1:sladfkj:12:324:FTP ONLY:/usr/ftp/./user1s_ftp_dir/:bin/false
>
>This is straight out of O'Reilly's Managing Internet Info. Services.  
>This doesn't work for me, though.  With a shell set to /bin/false a user 
>is not allowed to ftp login.  Is this a Linux thing? The user can ftp 
>login with /bin/bash or some other viable shell, but this opens up telnet 
>ability to the user (I can't use /etc/hosts.deny because it's too coarse).

IMHO, this is an overlook in wu-ftpd: the daemon denies access to
users whose shells are not listed in /etc/shells.  Adding /etc/ftponly
(or /bin/false) to /etc/shells is not the right way to go, though,
since doing so would be against the definition of /etc/shells: that
file should list only true unrestricted command interpreters (note:
/usr/bin/chsh).

On our site, ftponly logins work with the following hack to wu-ftpd,
which skips the /etc/shells check for accounts that have /etc/ftponly
as the login shell.  BTW, /etc/ftponly is a link to /usr/bin/passwd on
this system, which lets ftponly users to telnet to the system only to
change their passwords (not my invention -- seen on one of linux
mailing lists).


-- Yura

===================================================================
RCS file: ftpd.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- 1.1	1995/02/14 21:32:14
+++ 1.2	1995/02/14 22:04:46
@@ -855,22 +855,31 @@
             shell = _PATH_BSHELL;
         while ((cp = getusershell()) != NULL)
             if (strcmp(cp, shell) == 0)
                 break;
         endusershell();
-        if (cp == NULL || checkuser(name)) {
+        /* if user is a member of any of the guestgroups, cause a chroot() */
+        /* after they log in successfully                                  */
+        guest = acl_guestgroup(pw);
+        /* guestgroup users may have /etc/ftponly as a shell, even though  */
+        /* it is not in /etc/shells                                        */
+        if (cp == NULL && ! (guest && strcmp(shell, "/etc/ftponly") == 0)) {
             reply(530, "User %s access denied...", name);
-            if (logging)
-                syslog(LOG_NOTICE,
-                       "FTP LOGIN REFUSED (bad shell) FROM %s [%s], %s",
-                       remotehost, remoteaddr, name);
+            syslog(LOG_NOTICE,
+                   "FTP LOGIN REFUSED (bad shell) FROM %s [%s], %s",
+                   remotehost, remoteaddr, name);
             pw = (struct passwd *) NULL;
             return;
         }
-        /* if user is a member of any of the guestgroups, cause a chroot() */
-        /* after they log in successfully                                  */
-        guest = acl_guestgroup(pw);
+        if (checkuser(name)) {
+            reply(530, "User %s access denied...", name);
+            syslog(LOG_NOTICE,
+                   "FTP LOGIN REFUSED (in ftpusers) FROM %s [%s], %s",
+                   remotehost, remoteaddr, name);
+            pw = (struct passwd *) NULL;
+            return;
+        }
     }
     if (access_ok(530) < 1) {
         reply(530, "User %s access denied....", name);
         syslog(LOG_NOTICE, "FTP LOGIN REFUSED (access denied) FROM %s [%s], %s",
                remotehost, remoteaddr, name);

home help back first fref pref prev next nref lref last post