[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] FTP Server on Linux

NOTE:  Please let me know in whatever way you deem appropriate if you want
this thread dropped...

I looked in the ftpaccess man page, and I tried exactly what you quote here.
I noticed that this does not work unless you give the user a valid shell.
Does this sound right?

Also, are there any exploits I should know about which would let them
_around_ the security I set up here.

I also noticed a bunch of prose about setting up security properly for other
directories.  Would I NOT need to do this if I use the guestgroup options?

Thanks a million all!


----- Original Message -----
 From: Ed Landa <elanda at comstar.net>
To: <ale at ale.org>
Sent: Sunday, January 24, 1999 11:57 AM
Subject: Re: [ale] FTP Server on Linux

>On Fri, Jan 22, 1999 at 01:07:25PM -0500, Matthew Brown wrote:
>> Are you saying they can snoop the whole directory tree? [I'm feeling
>> right now.]
>> How do ISPs like MindSpring prevent this activity?  Aren't they also
>> *NIX-based?
>Depending on your FTP server, you can chroot customers into their own
>If you are using wuftpd, check out the man page 'ftpaccess'.  Here is an
>excerpt from the relevant part :
>       guestgroup <groupname> [<groupname> ...]
>            If a REAL user is a member of any of <groupname>, the
>            session  is set up exactly as with anonymous FTP.  In
>            other words, a chroot() is done, and the user  is  no
>            longer permitted to issue the USER and PASS commands.
>            <groupname> is a  valid  group  from  /etc/group  (or
>            whatever  mechanism  your getgrent(3) library routine
>            uses).
>            The user's home directory must be  properly  set  up,
>            exactly  as  anonymous FTP would be.  The home direc-
>            tory field of the passwd entry is  divided  into  two
>            directories.   The  first field is the root directory
>            which will be the argument  to  the  chroot(2)  call.
>            The second half is the user's home directory relative
>            to the root directory.  The two halves are  separated
>            by a "/./".