[plug] re: ftp

Christian christian at amnet.net.au
Sat Aug 5 12:04:52 WST 2000 

On Sat, Aug 05, 2000 at 11:10:09AM +0800, jlmiller at mmtnetworks.com.au wrote:
> I need to clarify my understanding of FTP.
> 1) it can be setup to only allow users with an account on the server access, and the access they would get would be their home directory.

Yes (if you don't set up anonymous FTP).

> 2) #1 would also be correct if one does not install anonftp??

:-)

> 3) if I want every tom, dick and harry to have access I need to add anonftp??? and the client version.

Don't know what you mean by "and the client version" but if you want
anyone to be able to download files from you (and optionally upload)
then anonymous ftp is what you want.

> 4) is FTP installed by default when installing Linux RH62?

Very likely.  Try ftping to yourself and see what happens. :-)

> 5) I have to change permission on the users home directory to 755 or is that already set by default (I do not want the users to be able to go anywhere except in their home directories).

When the user logs in via FTP they have the normal privilege associated
with their user identity, the only limit beyond this is what the FTP
protocol allows them to do.  You do not need to set the permissions on
their directory because, presumably, they will be able to read/write
their home directory anyway, it doesn't matter if this is via FTP or via
a terminal login session.

Preventing users from accessing anywhere but their home directories is a
bit more problematic.  Can you users log into your machine via
telnet/ssh etc.?  If so it seems rather pointless to limit their access
via FTP.  If you're giving someone access on your server to FTP then
you're probably giving them a full account in the process so trying to
limit FTP probably doesn't gain much.  If you want them to not be able to
log in (a fair/reasonable security measure) and just FTP then give them
a shell they can't user to log in but which is acceptable to the FTP
server (i.e., in /etc/shells), however, they will still have full access
to the machine (according to their privilege), not just their home
directory.  If you really want to limit them to just their home dir then
you're probably looking at a more sophisticated FTP server like ProFTPd.
However, quite honestly, my advice to you would be to use a simpler and
more secure FTP server (like the Linux port of the OpenBSD FTP server
that comes with Debian).  With this you won't be able to lock them into
their home dir but, in the event of a bad security bug in ProFTPd, at
least random people on the Internet won't get access (probably root) on
your machine.  Ask yourself, why do you want to restrict them to their
home directory?  Why is it important for your site and what improved
secuirty does it bring you?  I honestly can't really think of a good
reason and, presuming one's existence, I doubt the benefit is worth the
risk (look at ProFTPd's security record if you disagree).


> I'm not to clear on the control access option (eg the ftpaccess file). Any advice in that area such as the usual defaults.

You're talking about ProFTPd, right?  Last time I used it the
documentation on the web page was excellent so, if you want to know how
to use it, go take a look.  But my advice is to think carefully about
what you want and whether it is really helping your security before you
do so.

Regards,

Christian.

More information about the plug mailing list