Lets say I have a dedicated server, I want to allow people to logon to the server via FTP and view their home directory, and only their home directory, I want it to look like their home directory is root and to be unable to change out of it.

I dont want them to login via SSH etc... just FTP

Ive seen it done many times, the one i seen was altering the /bin/bash to /ftponly in /etc/passwd but it didnt work without putting a selection of files into the users home directory, its all quite confusing, could anybody describe how its done or any alternatives?

regards

XT

FTP authentication occurs using the password file and the /etc/shells file. To FTP to a site, the shell specified in /etc/passwd must exists and must be listed in /etc/shells.

To set up FTP-only accounts, you must modify both /etc/passwd and /etc/shells. One way to do this under RedHat is to use /bin/false as the shell. Also, add /bin/false in the /etc/shells file and you should have FTP only.

If you create FTP only accounts often, be sure to specify /bin/false as the shell.


Depending upon your FTP server, restricting access to other directories can be difficult. Generally, the ftp server uses the permissions of the filesystem. Meaning, that most other web directories can be read by other users. Some FTP servers allow you to restrict users to their home folders -- they basically treat the home folder as root. I am not sure which servers support this feature, but I know that many servers offer this type of security.


Note, the program /bin/false does nothing unsuccessfully -- meaning that it does nothing but returns an error
the program /bin/true does nothing successfully -- meaning that it does nothing without error.

yes, its been added to /etc/shells - I forgot to mention that in my original message (sorry)

all that remains now is the security which i have already seen in action on another system but i no longer have access to this system to check how it was done, any ideas, im using ProFTP.

With wuftpd, the basic way would be to add the username you want to restrict under guestuser in /etc/ftpaccess or /usr/local/etc/ftpaccess

Then you'd need to copy the basic FTP file bin into the users home dir (located @ /home/ftp/bin in BSD, not sure about RH).

Check out the ProFTPd FAQ ....

don't be so lazy :sleeping:

;)

http://pdd.sourceforge.net/faq/proftpdfaq-5.html

Question 5.1 addresses your problem. ProFTPd uses a similar security system as does apache. You can jail your users into their own directory trees be setting up the appropriate settings in proftpd.conf.

Also, check out the main documentation:
http://www.proftpd.net/docs/

Well, someone already posted the link to the answer, before I saw this thread. Also, as those pages (I recall) saying, this isn't the best means to secure it, since chroot's can be broken out of. I think there's a link there that covers that. Nonetheless, it's another step in helping and preventes most people, let alone newbies from snooping around. Just put in the "DefaultRoot ~" directive in each Vhost or globally. You can also make it be limited by the group or user the person belongs to -- so certain people can FTP in and not be limited to their chroot jail making their home directory the / root. Anyway, that's all on those pages.

ok ok ok, i admit i was a little lazy but i thought there was a quick fix :-(

I suppose im lucky i didnt get a whole host of people saying "RTFM" :rolleyes: