[plug] re: ftp

jlmiller at mmtnetworks.com.au jlmiller at mmtnetworks.com.au
Sat Aug 5 12:50:33 WST 2000


The reason for tight security is each account belongs to a different company and yes they will only have access via FTP.  In each account directory will be drawings and other documents only for the owner of that account.  We do not need anyone else having access to the server for any other reason except to upload their documents and download their info.  Telnet is handled by ssh and is restricted to me.  Users on the internal network will have access to the accounts (via a telnet session or FTP) as they have to be able to access the location of the documents from their clients.  As these drawings are fairly large we can't send them via e-mail.
Does this seem reasonable?


> ** Original Subject: RE: [plug] re: ftp
> ** Original Sender: Christian <christian at amnet.net.au>
> ** Original Date: Sat, 5 Aug 2000 12:06:55 +0800

> ** Original Message follows... 

>
> On Sat, Aug 05, 2000 at 11:10:09AM +0800, jlmiller at mmtnetworks.com.au wrote:
> > I need to clarify my understanding of FTP.
> > 1) it can be setup to only allow users with an account on the server access, and the access they would get would be their home directory.
> 
> Yes (if you don't set up anonymous FTP).
> 
> > 2) #1 would also be correct if one does not install anonftp??
> 
> :-)
> 
> > 3) if I want every tom, dick and harry to have access I need to add anonftp??? and the client version.
> 
> Don't know what you mean by "and the client version" but if you want
> anyone to be able to download files from you (and optionally upload)
> then anonymous ftp is what you want.
> 
> > 4) is FTP installed by default when installing Linux RH62?
> 
> Very likely.  Try ftping to yourself and see what happens. :-)
> 
> > 5) I have to change permission on the users home directory to 755 or is that already set by default (I do not want the users to be able to go anywhere except in their home directories).
> 
> When the user logs in via FTP they have the normal privilege associated
> with their user identity, the only limit beyond this is what the FTP
> protocol allows them to do.  You do not need to set the permissions on
> their directory because, presumably, they will be able to read/write
> their home directory anyway, it doesn't matter if this is via FTP or via
> a terminal login session.
> 
> Preventing users from accessing anywhere but their home directories is a
> bit more problematic.  Can you users log into your machine via
> telnet/ssh etc.?  If so it seems rather pointless to limit their access
> via FTP.  If you're giving someone access on your server to FTP then
> you're probably giving them a full account in the process so trying to
> limit FTP probably doesn't gain much.  If you want them to not be able to
> log in (a fair/reasonable security measure) and just FTP then give them
> a shell they can't user to log in but which is acceptable to the FTP
> server (i.e., in /etc/shells), however, they will still have full access
> to the machine (according to their privilege), not just their home
> directory.  If you really want to limit them to just their home dir then
> you're probably looking at a more sophisticated FTP server like ProFTPd.
> However, quite honestly, my advice to you would be to use a simpler and
> more secure FTP server (like the Linux port of the OpenBSD FTP server
> that comes with Debian).  With this you won't be able to lock them into
> their home dir but, in the event of a bad security bug in ProFTPd, at
> least random people on the Internet won't get access (probably root) on
> your machine.  Ask yourself, why do you want to restrict them to their
> home directory?  Why is it important for your site and what improved
> secuirty does it bring you?  I honestly can't really think of a good
> reason and, presuming one's existence, I doubt the benefit is worth the
> risk (look at ProFTPd's security record if you disagree).
> 
> 
> > I'm not to clear on the control access option (eg the ftpaccess file). Any advice in that area such as the usual defaults.
> 
> You're talking about ProFTPd, right?  Last time I used it the
> documentation on the web page was excellent so, if you want to know how
> to use it, go take a look.  But my advice is to think carefully about
> what you want and whether it is really helping your security before you
> do so.
> 
> Regards,
> 
> Christian.

>** --------- End Original Message ----------- **

> 

Jon L. Miller
Novell MCNE
Compaq ASE
MMT Networks Pty Ltd
jlmiller at mmtnetworks.com.au

Download NeoPlanet at http://www.neoplanet.com




More information about the plug mailing list