Improving FTP access security
May 08, '01 09:15:03PM
Contributed by: robg
With the release of 10.0.2, Apple has included an upgraded FTP server that makes it easier to control which directories FTP users can utilize. This is done using an 'ftpchroot' file, which makes each listed user's home directory appear as the root of the system via FTP, so there's no way they can move "up" out of their directories.
Implementing 'ftpchroot' is quite simple, but it does require a bit of editing work as root. If you'd like to restrict your FTP users to their own directory, read the rest of this tip.
This only works for users who exist as users on your system. You may want to create a generic 'ftpuser' for such purposes. For this example, we'll assume you have two users, 'tom' and 'ftpuser', and you'd like to restrict both of them to their home directories.
- Open a terminal and type cd /etc to change into the 'etc' directory.
- We'll use pico as the text editor, since this is a very simple file. Type sudo pico ftpchroot and enter your normal admin user's password when prompted.
- When the file opens, simply type each user's short name on a line of its own:
ftpuser
tom
- Save the file by typing Control-X.
That's it! You've created the file you need to restrict FTP users' access.
To implement the file, you will probably have to restart your network -- you could try disabling and re-enabling FTP from the Sharing prefs panel, but a full restart will definitely do the trick! If you ever need to add more users, just follow these directions and add additional rows for each new user you wish to restrict.
To test the restrictions, find another machine, make sure your OS X box has FTP enabled, and connect via FTP as one of the restricted users. You should NOT be able to navigate up from your starting location. If you can, then something's not working correctly. I have tested this tip myself, and it works exactly as described here - thanks, Apple, for getting rid of this relatively large security hole! Note that FTP still transmits passwords in cleartext, which is why setting up an "ftpuser" may be a good idea.
Comments (25)
Mac OS X Hints
http://hints.macworld.com/article.php?story=20010508211503599