Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Limiting FTP users' access Network
Hi,

I recently got OSX and immediatly started to setup an FTP, using the built in FTP sharing in the system preferences. Everything works great, and the server is running, but the only problem is... every user has access to anything. I can't restrict access to folders (I dont know how anyways...) I would like a setup many different users who can only access their own folders, not my ENTIRE HD. Any help would be appreciated.

Thanks,
    •    
  • Currently 3.67 / 5
  You rated: 5 / 5 (3 votes cast)
 
[6,313 views]  

Limiting FTP users' access | 9 comments | Create New Account
Click here to return to the 'Limiting FTP users' access' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
tried changing global perms, didn't work
Authored by: saint.duo on Apr 20, '01 04:53:37PM

i tried to change the global/world/others/everyone permissions of the hard drive from read only to none (as root), so that FTP users could not get any higher in the directory tree than the users directory unless they knew the exact directory names and structure. Well, that was a bad idea. upon closing the inspector/getinfo box, the finder, and system preferences apps both quit, and I had to reboot the machine. The machine would not boot properly afterwards, i could not log in, and sometimes the machine would not boot past the OSX boot panel without the progress bar. I had to boot off of the OSX cd, and reinstall the system to fix the problem. The machine seemed to have retained all of my settings, except for the fact that I had to re-update to 10.0.1

So, a warning to everyone to not change the global permissions of the OSX volume. At least, that's my experience with this. (it actually happened to me twice. the first time, i thought it was coincidence, so i tried it again, with identical results)



[ Reply to This | # ]
tried changing global perms, didn't work
Authored by: David Stewart on Mar 20, '02 07:50:32AM

In case you do, do this, you can use the all-purpose plan B thing to fix it. Startup holding command-S, then
fsck -y
mount -uw /
cd private/var/db
rm .AppleSetupDone
bye



[ Reply to This | # ]
set 'root' for users to their home?
Authored by: saint.duo on Apr 20, '01 06:52:15PM

I know that some UNIX ftp servers allow you to set a user's 'root' to any directory, effectively making it so that they cannot go higher in the directory tree than that point. Setting this to a user's home directory for ftp access would keep them from getting anywhere else on the system. I can't find the config files for the ftp services built into X to see if this can be done, so I'm asking if anyone else might know where to look. Or if this sparks someone's memory, it'd be great.



[ Reply to This | # ]
chroot looks like what you need
Authored by: Anonymous on Apr 21, '01 05:29:08PM

chroot is a command-line tool to change a user's root directory to any directory you want. I'm not sure how it would conflict with existing users and access through non-FTP protocols. I'd suggest making an 'anonymous' user (set up however you would do so with FTP), then chroot them to a secured directory, or to their home.<br>
I believe standard procedure is to put a readme file, etc/, and pub/ in the anon ftp root. A readme file is a readme file. etc/ is a directory with, I'm not sure what, some stuff that's not what you'd download (other readmes), and put the real download stuff into the pub/ dir. DON'T confuse these with /pub and /etc. (/etc is not something you want anonymous access to, even read-only).



[ Reply to This | # ]
Limiting FTP users' access?
Authored by: Anonymous on Apr 20, '01 10:23:48PM

The first thing to do is to ask yourself, can I use apache instead of ftp? If your users are just downloading files, just use http
downloads. (There's a way to do http uploads using webDAV or a perl script, but I haven't tried it yet.) It's a lot easier to
lock down httpd than ftpd.

OK, continuing on the assumption that you need ftp. The first (easy) thing to do is make sure all users with ftp access are
regular users, i.e. not administrators. Do this by editing the file /etc/ftpusers and adding the names of all unwanted users.
This should probably contain your own administrator login to prevent damage should someone get your password. With
only "user" access, they'll still be able to look around the drive (other than stuff in /Users) but they shouldn't be able to
delete anything. Note the backwards nature of /etc/ftpusers: users listed here are NOT allowed to log in.

At this point, what I did was change the group of the ftp users and change the permissions of files on the drive, but I don't
think this is the "right" way to do it. For that, open terminal and type "man ftpd". The man page describes how to set up
restricted users who can only see their own directory and can only execute the command ls. It takes a fair level of unix
twinkiness to do follow the instructions there; take a look and see if it seems doable. If not, post back and we'll tackle
it here (since I've wanted to do this as well...)

-Rob



[ Reply to This | # ]
RE: Limiting FTP users' access?
Authored by: saint.duo on Apr 21, '01 06:44:56PM
i attempted to do this, using the rules in the the FTPD manual, along with creating a user manually following the instructions to create an anynomous user (though I named the user "heero"). I ran into a few snags, though. there is no "ftp" group on my machine, and I don't know what extras to give it to make it work correctly, and after setting up the proper directories, i gave them to user "heero" and group "staff" (putting heero in the staff group, as well). I also gave "heero" a password using
 sudo passwd heero 
. When I tried to FTP in, and gave the server the name heero, it told me that login with that user was denied? Any ideas, either to the denied message or why I have no ftp group?

[ Reply to This | # ]
Try this
Authored by: eilert on Apr 23, '01 05:49:47PM

Hey, man.

check out this article in maccentral. Seems to be the answer to your problem.

http://maccentral.macworld.com/news/0104/23.diary.shtml



[ Reply to This | # ]
Try this
Authored by: saint.duo on Apr 24, '01 08:01:46PM

hey, thanks! Tenon's iTools will do the same stuff, but at a much greater cost. Personally, I'm happier mucking around with configuration files, as I like to know what's going on within my system, and I want to learn as much about UNIX as I can, but for most people, this would be great. I'm still trying to get mine working properly, though, so I may use this to see if I'm missing a config file somewheres.



[ Reply to This | # ]
ftp only accounts are what you may want to try
Authored by: tsaar on May 04, '02 07:52:13AM

Check out the script here:

http://www.macosx.com/forums/showthread.php?s=&postid=78763

I just tried it. Works like a charm.

I did one extra thing though:

Using netinfo manager I set the ftp-users shell to /dev/null
Otherwise they can still open a session locally.

Happy ftp-serving...



[ Reply to This | # ]