Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.3: ftpchroot now works as expected' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.3: ftpchroot now works as expected
Authored by: BananaFish on Jun 02, '04 12:39:35AM
This is a great hint! There are a couple of additional notes that I think may be useful. I have occasional use for chrooted ftp, but I use ssh constantly. On a system running both ftp and ssh services, a user added to /etc/ftpchroot may have limited ftp capabilities, but they can still make an ssh connection and browse the file system as freely as their permissions will allow.

The simplest method that I know for limiting a user's remote access to chrooted ftp is by changing the user's shell variable to /usr/bin/true. Doing so requires a couple of steps (I'm currently running OS X 10.3.4, though I'd imagine most of this is applicable to prior versions):
  1. Edit /etc/shells:
    Without adding /usr/bin/true to the /etc/shells file, ftpd won't recognize it as valid; the file says as much. So, open up Terminal, sudo vi /etc/shells, add the line /usr/bin/true to the file, save and close it.
  2. Modify the User's $SHELL:
    The best way I can think to do this is through the NetInfo Manager, though it could certainly be done through the command line nicl tool. Open NetInfo Manager and authenticate so you can edit the database. Select "users" in the 2nd column, and then select the user that you want to edit. Locate the "shell" property, and change the "Value(s)" field so it reads /usr/bin/true. Click on the Domain menu and Save Changes.
  3. Edit /etc/ftpchroot:
    If you haven't done so already, add the appropriate user names to /etc/ftpchroot file.
  4. More Users:
    Perform steps 2 and 3 for each, appropriate user.
Now, any users added to /etc/ftpchroot with their $SHELL set to true will have limited ftp access, but will not be able to ssh into your system.
There is another method for accomplishing the same results that can be found here. What vogunaescht writes there works in Mac OS X 10.3, but I believe the /usr/bin/true to be more compatible with other systems since I've definitely used it with Linux. For whatever that's worth.

---
I'm interesting
You think I'm interesting
Like the apocalypse

[ Reply to This | # ]

10.3: ftpchroot now works as expected
Authored by: BananaFish on Jun 02, '04 01:16:18AM

Sorry about the "NetInfo Manager" URL stunt in item 2. It'll never happen again; I promise.

---
I'm interesting
You think I'm interesting
Like the apocalypse



[ Reply to This | # ]