#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2001
    Location
    London, England
    Posts
    262
    Rep Power
    14

    Creating a user who can only FTP


    Hello,

    I normally use SuSe Linux, but have just started to use Red Hat on another Web Server.

    On my SuSe box, to add a user who could only FTP (i.e. not get shell access) I would add the user as normal but their shell would be bin/false.

    However, when I do this on my RedHat box, it will not allow the user to connect (although other users with bin/bash can).

    Has anyone got any ideas why this would be?

    Thanks
  2. #2
  3. No Profile Picture
    Roving Icicle
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2001
    Location
    Netizen
    Posts
    56
    Rep Power
    13
    A default shell of /dev/null has always worked for me.
    Is it just me or is it cold in here?
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    5
    Rep Power
    0
    >> A default shell of /dev/null

    Never use /dev/null. Use something that's either non-existence or executable such as /usr/local/bin/ftponly. Executing /dev/null continuously may break your /dev/null.

    >> it will not allow the user to connect

    In your case, you need to add /bin/false to /etc/shells. However, since adding /bin/false potentially may affect other system users (i.e. daemon, bin), so inappropriate.

    >> Has anyone got any ideas why this would be?

    1) Create a script /usr/local/bin/ftponly
    2) Put the following in this script:
    #!/bin/sh -p
    echo 'This account is currently not available.'
    exit 1
    3) Append /usr/local/bin/ftponly to /etc/shells
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2001
    Location
    London, England
    Posts
    262
    Rep Power
    14
    thanks, worked a treat!
  8. #5
  9. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2001
    Posts
    6
    Rep Power
    0
    Or other idea: use /usr/bin/passwd as a shell
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    5
    Rep Power
    0
    >> use /usr/bin/passwd as a shell

    No and doing something stupid like this could lead to potential exploit. As I said, use something that is either non-existence or write a simple ftponly shell script.
  12. #7
  13. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2001
    Posts
    6
    Rep Power
    0
    maybe, but this will add additional functionality i.e. user can change his own passwd. if this is a exploit, this is true for all users of Your system :-D
  14. #8
  15. No Profile Picture
    Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2001
    Location
    Toronto, Canada
    Posts
    22
    Rep Power
    0

    Thumbs up


    It works great!! Thank you
    Originally posted by freebsd
    >> A default shell of /dev/null

    Never use /dev/null. Use something that's either non-existence or executable such as /usr/local/bin/ftponly. Executing /dev/null continuously may break your /dev/null.

    >> it will not allow the user to connect

    In your case, you need to add /bin/false to /etc/shells. However, since adding /bin/false potentially may affect other system users (i.e. daemon, bin), so inappropriate.

    >> Has anyone got any ideas why this would be?

    1) Create a script /usr/local/bin/ftponly
    2) Put the following in this script:
    #!/bin/sh -p
    echo 'This account is currently not available.'
    exit 1
    3) Append /usr/local/bin/ftponly to /etc/shells

IMN logo majestic logo threadwatch logo seochat tools logo