restricting ftp on a per user basis

restricting ftp on a per user basis

Post by Susan Malisc » Tue, 09 Apr 1996 04:00:00

I just recently installed wuftp because I had heard of the security benefits that
this version provided.  However, instead of providing simple anonymous ftp
access, I need to be able to provide access to individual users that can "get"
and "put" files in their "home" directories only.  (I don't want users to be able
to access other users' files.)
I have followed the instructions as best as I can tell, but am having some
problems.  I created a separate filesystem /ftp which will house all the home
directories for these "ftp" restricted users.  The bin and etc directories exist
under /ftp.  I created a user called "ftptest" to test the setup.  This id can
login but cannot do an "ls" (Permission denied) or "get" a file (Says there is no
such file or directory - but that is probably because the id cannot see it).  
So far I cannot tell what I am overlooking in my setup.  Does anyone have a good
write-up, explanation, or any help in getting this straightened out?

Thanks very much,
Susan Malisch


1. Restricting ftp directory access on a per user basis

I have been having difficulty configuring restricted directory access on a per
user basis.  We cannot use an anonymous ftp setup because each user should only
be able to access particular files.  Therefore, I intended to assign individual
id's as guest ftp logins with "/bin/true" shells, and thought that restricting
them to their home directory structure would be fairly straightforward.    
However, these login id's are free to "cd" outside of their home directory; not
only are they allowed to "cd", but they can then get files outside of their root
I've heard a few references to "sublogins" but I don't really know what these
are.  I've also heard someone recommend modifying the source for ftpd to add a
line chrooting to a user's directory, but after looking at the source code for
ftpd.c I'm afraid it's a little beyond my C programming skills.  What is the
easiest way to achieve this restriction on an individual user basis?  I am
getting desparate to solve this problem; any help would be appreciated.

My ftptest login entry in /etc/passwd looks like this:
ftptest:!:555:204:WUFTP Test User ID:/ftp/./ftptest:/bin/true

My ftpaccess file looks like this:
class   all   real,guest,anonymous  *

limit   all   5   Any              /usr/local/etc/msgs/msg.toomany

loginfails 3

banner /usr/local/etc/msgs/msg.login

readme  README*    login
readme  README*    cwd=*

message /welcome.msg            login
message .message                cwd=*

compress        yes             local remote
tar             yes             local remote

log commands real anonymous guest
log transfers anonymous,real,guest inbound,outbound

shutdown /etc/shutmsg

passwd-check rfc822 enforce

path-filter anonymous,guest,real /ftp/pub/incoming ^[-A-Za-z0-9._]*$ ^[-._]

upload /ftp/pub/incoming upload yes root system 0600
Susan Malisch

2. termios portability problem?

3. IP accounting on a per-user basis, rather than per IP address.

4. Two questions

5. Per user: Restricting Telnet but allowing FTP

6. Ouch!!! that surely hurts the wallet

7. Setting colour depth on a per-user basis?

8. trouble with using find and mv

9. Denying finger requests on per-user basis?

10. Setting sendmail "From:" field on a per user basis?

11. Raising ulimit's on a per user basis in Linux

12. MAXLOGINS on a per users basis

13. How can I change screen resolution on a per user basis