[lug] ftp-only user ids without sendmail, pop, global read, etc.

Neal McBurnett neal at bighorn.dr.lucent.com
Fri Oct 29 11:33:54 MDT 1999


I want to allow a bunch of minimally-privileged users to update stuff
on a web site with ftp.  Each user should not have read or write
permission outside their own directory or else they could read files
elsewhere on the server that are protected via http .htaccess files.

We don't want to affect other services on the machine or permission
issues.  E.g. these users should not be able to login, receive email,
retrieve email, etc.  FTP-only users would still need a way to change
their passwords.

I know from the httpd side (apache) how to prevent them from doing cgis
and server-side-includes (anything else I've forgotten for the
moment?)

I found some info on configuring wu-ftp (we are using
FTP Version wu-2.6.0(1) Wed Oct 20 10:51:40 MDT 1999) at the
WU FTP FAQ.  E.g. information on the "no-telnet" desire is at
	http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html#QA59

But that mentions an issue with people being able to receive email.  I
don't know if they would be able to read it or not via pop.  If so
that seems like a bigger problem.  If not it would still seem a good
idea to turn off mail delivery for these users.

The fact that /etc/ftponly is in /etc/shells would also seem to
mean that this user might even be able to execute commands thru
email via the right config files in their home directory.
Is that (or can it be) turned off in the sendmail config file?

I've heard of one way to set up ftp to restrict access to only
one directory, but it involves chroot and copies of the ftp
bin area.  Is there a way without all those silly copies (which
would then show up on the web....)?


For some visions of other new and future ways for distributed
maintenance of web sites (WebDAV, CVS, DELTA-V) see this recent
article:
	http://www.webtechniques.com/archives/1999/10/whitehead/

But I think that although some of those things are available now,
they don't really address our need to provide simple, standard
safe, well-tested tools for novice users....

Cheers,

Neal McBurnett <nealmcb at bell-labs.com>  303-538-4852 Denver
Bell Labs / Lucent Technologies
http://bcn.boulder.co.us/~neal/      (with PGP key)




More information about the LUG mailing list