[99009] in RedHat Linux List
Re: FTP Permissions & WU-FTPD with chrooting users
daemon@ATHENA.MIT.EDU (Chris J. Manders)
Wed Nov 11 16:36:49 1998
Date: Wed, 11 Nov 1998 13:34:08 -0800 (PST)
From: "Chris J. Manders" <cmanders@mh1.lbl.gov>
Reply-To: "Chris J. Manders" <cmanders@mh1.lbl.gov>
To: redhat-list@redhat.com
Resent-From: redhat-list@redhat.com
Hi again,
You need to EXPLICITLY allow these DELETE and TAR and COMPRESS and such in the
/etc/ftpaccess file. Let's try this again. Try this...I am putting my file
/etc/ftpaccess here. Check it out as it seems you are almost there. Note the
middle of the file where it gives these rights to groups,anon, or real...... ;)
:>
#### /etc/ftpaccess
class all real,guest *
deny !nameserved nodns.msg
guestgroup users
email root@wings-at-you.com
loginfails 5
readme README* login
readme README* cwd=*
banner banner.msg
message /welcome.msg login
message .message cwd=*
compress no all
tar no all
chmod yes guest,real
### NOTE THE ADD of GUEST......
delete yes guest,real
overwrite yes guest,real
rename yes guest,real
noretrieve /etc/passwd core /etc/group
loginfails 5
passwd-check rfc822 enforce
log commands anonymous,guest,real
log transfers anonymous,real inbound,outbound
shutdown /etc/shutmsg
passwd-check rfc822 warn
########
Check the extra security in the rev-dns-check I put there....but that is
unnecessary.
########
/etc/group
users::100:hajimazi,wasa,zip
/etc/passwd
hajj:.Mnmgq245bw54ertw:815:100:Runt Haji:/home/hajimazi:/bin/false
I will again suggest that this is the config to use, as it does what you are
looking for (except putting them _right_ into their $HOME/public_html dir. :)
If you want another try BeroFTP or the one RedHat uses (it is DEFINATELY _NOT_
wu-ftpd). I have heard great things about Bero. Might try that if this doesn't
work.
I hope this helps.
Cheers!
--Chris
PS-- Cold yet there?
>
> hi,
> question that is sort of stumping me. Currently on one of my servers
> i have both httpd and ftpd running so that users can ftp to their home
> dir plus their *.html files can be viewed by world in `public_html' of their
> home dir. But here is the problem if i don't use the guestgroup feature;')
> to declare the group that users must belong to in order to be
> chrooted/./chdired
> via /etc/passwd . Here is the problem if i simply # out the `guestgroup'
> feature
> then world can view each users .html files by simply doing a:
> http://www.mydomain/~user-name/
> which is just great but the user-name ftps to their home dir it is not
> chrooted
> hence they can get higher and see the file structure. I want them only to be
> able to access their own $HOME period. no reason for more. At the same time
> world
> must be able to access the .html files in each users $HOME `public_html'
> which
> also works just fine. But here is where it craters... when i add to ftpaccess
> guestgroup mygroup and then change the settings in /etc/passwd it
> chroots to where i want and chdirs to where i want but then it denies write
> and read to
> the user to all that r theirs files WHICH I DON'T WANT. must be something i
> am missing.
> the users dirs for `public_html' r 755 so this should be right and the .html
> files are set to 644 which should be fine. my guess is that the chroot is
> screwing with me but my brain is frazzled here. hmmm... solved the problem
> with world viewing .html files but another one has appeared:( in other world
> when they are not chrooted and i do not use ftpaccess `guestgroup' feature
> then
> everything works well except they can see the file structure above them
> which is
> what i was trying to avoid by chrooting then when ftping to their $HOME
> ftpclients can get chrooted to the right location and chdired but i see no
> files that exist nor can i r || w to the existing files can't see or mkdirs
> 550 simply put i gain ftpaccess as the user to their $HOME ok, get chrooted
> ok,
> get chdir ok, and world can view my existing html files. But... the user
> that i accessed their $HOME can't create,view, or mkdirs, or see dirs on
> even files that they already own, and r in the same grp. Any resolution
> would be appreciated!
> TIA
> dreamwvr@dreamwvr.com
> Reuters, London, February 29, 1998:
> Scientists have announced discovering a meteorite which will strike the
> earth in March, 2028. Millions of UNIX coders expressed relief for being
> spared the UNIX epoch "crisis" of 2038.
> _______________________________________________________________________
>
> DREAMWVR.COM - TOTAL WEB INTEGRATION, DEVELOPMENT, DESIGN SERVICES.
> Featuring Website Development and Web Strategies of a TOP Developer
> <http://www.dreamwvr.com/dynamicduo.html> <mailto:dreamwvr@dreamwvr.com>
> "As Unique as the Company You Keep." "===0 PGP Key Available
> ________________________________________________________________________
>
>
>
>
> --
> PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
> http://www.redhat.com http://archive.redhat.com
> To unsubscribe: mail redhat-list-request@redhat.com with
> "unsubscribe" as the Subject.
>
----------------------------------
Chris Manders
UNIX Systems Administration Group
CJManders@lbl.gov
----------------------------------
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com http://archive.redhat.com
To unsubscribe: mail redhat-list-request@redhat.com with
"unsubscribe" as the Subject.
