Very Computer

I want to restrict user from browsing the whole system when they use ftp.

I know wu-ftp can do it. How about Solaris 8 itself.

Quote:> I know wu-ftp can do it. How about Solaris 8 itself.

Wu-ftp works with Solaris (if it is not included yet! pro-ftp comes
with Solaris). You can restrict users browsing ability using either
chroot(1M) or a restricted shell.

An example of restricted shell is bash with the option "-r". As an
option cannot be added to the user's shell in /etc/passwd you can
make a link to bash called rbash. It will work as a restricted shell
too and can be easily provided as a user's login shell. I believe
that you do not want users browsing system directories from their
normal accounts too.

Restricted shells have a lot of features (for example changes to the
environment are not allowed). You must remember to provide only a PATH
to some well-known commands (for example vi allows users to open
unrestricted shells). Take care with these commands that allows
users to execute arbitrary code.

I never tried it, but it should work as an ftp shell too (if it is
authorized for that use). In any case, the former alternative (chroot)
will work. It is used by the anonymous FTP servers and its behaviour
is just what you are looking for.

Cheers,
Igor.

--

You will do a better job if you read previous posts before answering.
I noted that the best way to restrict an FTP account is using chroot(1M).
But I proposed another one that allows a full restriction. I believe that
the original poster was looking for a way to restrict users access to the
system and it includes more than simply limiting FTP retrieval ability.

Igor.

--

Hi - the two worst ftp server are

        (1) Sun's
        (2) WU ftp

Use

        http://www.proftpd.net

ftp server instead.

It can be configured for just about any situation and uses
syntax similar to Apache.

-- Ken

  I agree about the two worst servers.

  However, I am not totally positive about ProFTPd. In fact, I would
  recommend vsftpd (VS stands for Very Secvure) when security is a
  matter of concern. Version 1.0 has just been released. You can get it
  at :

    ftp://ferret.lmh.ox.ac.uk/pub/linux/vsftpd-1.0.0.tar.gz

  This server does really chroot(), not only providing virtually
  chrooted users, but also making the server jailed. A great tool.

--
Thomas Seyrat.

Quote:>But I proposed another one that allows a full restriction. I believe that
>the original poster was looking for a way to restrict users access to the
>system and it includes more than simply limiting FTP retrieval ability.

The OP specifically said "when using ftp".  Nothing in his post suggested
that he needed to restrict them when logged in normally (I'll go on a limb
and presume that the intended users aren't given shell access at all, so
ftp is all they can do -- a common application like this is personal web
hosting services).

--

Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

Quote:> The OP specifically said "when using ftp".  Nothing in his post suggested
> that he needed to restrict them when logged in normally (I'll go on a limb
> and presume that the intended users aren't given shell access at all, so
> ftp is all they can do -- a common application like this is personal web
> hosting services).

As I noted in my first post, he can use chroot(1M) to restrict the
directories that can be search for.

--