Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'A simple way to create basic FTP shares and users' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A simple way to create basic FTP shares and users
Authored by: eno on Jun 22, '04 05:13:28PM

"Some limitations" or no, if you follow this hint and you also happen to have SSH shell access turned on then you've just given the holder of the FTP account you just created unfettered shell access to your machine.

May your NAT router save you.

This is what happens when desktop users discover UNIX, courtesy of Apple Computer Inc.



[ Reply to This | # ]
a solution to this problem?
Authored by: SuperCrisp on Jun 22, '04 08:21:48PM
Would setting this ftp user's terminal to null or something like
/usr/libexec/sftp-server
eliminate this problem?

It might also be good to edit
../Library/Preferences/com.apple.AppleFileServer.plist
to disallow guest access if this machine is going to be exposed continuously.

[ Reply to This | # ]
Netinfo Manager to the rescue
Authored by: josh doubles on Jun 23, '04 12:43:09AM
Open Netinfo Manager select
/users/ftpuser
where ftpuser is the name of the user you want to disallow shell access

change the value for shell to
/usr/bin/false


[ Reply to This | # ]
Additional information about securing your FTP as well as other important info.
Authored by: hanha014 on Jun 23, '04 06:52:27AM
I tried to set the loginshell to /usr/bin/false but then the ftp account didn't seem to work that well either. I suppose it depends on what ftp server you are using. On my Linux box with proftpd you could set so that you don't require a valid login shelll for the ftp-account. I think this would be the solution (after checking
man ftpd
)

NOTE: Please read the whole message before beginning to change your system.

1. Instead of using /usr/bin/false as a login shell for the ftp-user use /sbin/nologin instead. So open up the NetInfo manager, go to the ftp user and set the login-shell to /sbin/nologin instead.

2. Then we must tell the ftp-server that /sbin/nologin is a valid shell for the ftp-server. Open the file /etc/shells file with your favourite editor and put /sbin/nologin on an empty row (you could see how the other valid shells are written in the file). Now if users are logging in via ssh they will get a message that they are not allowed to log in (the /etc/shells file only seems to apply to the ftp server, and not other login processes).

Here's some additional tips to make the ftp server a bit more secure.

3. chroot users to their home directory. What this means in plain english is that, what appears to be the root directory for users that logs in via ftp - is their home directory. In other words they can't go outside of their home directory and download other files in the system.

You configure this chrooting thing, by creating the file /etc/ftpchroot (if it doesn't already exist). There you put one username on each row for users you want to be "caught" in their home directory.

NOTE: If you have created links or aliases that points to directories outside of the chrooted environment they will probably not work. So if you have done that you probably should skip this step even though it might make your system more secure.

NOTE2: In Linux I know a way of making virtual mounts so you could mount one directory into another, and even mount them with a read-only option, this should be very secure. Haven't got it to work correctly in OS X though, I will investigate this and reply to my message with an update if I find a solution.

FINALLY a completely optional step for users that would like to make their ftp configuration even nicer.

4. If you want the users of your ftp-server to recieve a welcome message when they are accessing your ftp you could easily accomplish that by creating the file /etc/ftpwelcome and then write some nice message that would be displayed to users before they log in.

A tip what to write would probably be your e-mail and name, and some rules for the ftp server for instance

5. If you want information displayed to users after they login you should edit the /etc/motd (message of the day) file. I don't think that this only applies for users connecting to your ftp server, but also for users logging in via ssh.

Ok I think that was all my tips I could give concerning the ftp server. For additional information you should check out the manual page for ftpd.

man ftpd

And remember, if you're not that used to working with a *nix system, be careful what you write in the terminal, you could render your system unusable if you are not careful. Don't want to scare people off, just a warning :-)

Oh and one more thing. If the terminal says that you don't have permission to do a certain action you could always type the command sudo before the actual command like this:

sudo vim /etc/ftpchroot
and then write in the password for the user you logged in as (assuming that you are an administrator of the OS X system)



[ Reply to This | # ]
Additional information about securing your FTP as well as other important info.
Authored by: mrgerbek on Jun 30, '04 12:26:47AM

Awesome - you've done a fine job with these instructions. I commend you.

---
~~~~~~~~~~
Be Green



[ Reply to This | # ]