On Fri, Mar 14, 2003 at 09:57:12AM -0600, Andrew Robinson wrote: > I'm about to configure a similar box. If you would, please post that > configuration to the list.
Here's a brief overview: 1. Create the accounts chroot'ed and restrict the shell to ftponly. /usr/sbin/groupadd -g $NEWUID $NEWUSER /usr/sbin/groupadd -g $NEWFTPGID $NEWFTPGRPNAME /usr/sbin/useradd -d $NEWDIR/./pub -g $NEWUID -G ftp$NEWUSER -M -s /usr/local/bin/ftponly -u $NEWUID $NEWUSER In our case, a typical home directory would /cust/foo/./pub. wu-ftpd will end up enforcing those. ftponly is destributed with wu-ftpd. We create all the customer accounts with a gid>10000. 2. Create /cust/foo/pub/upload and /cust/foo/pub/download. 3. Create /cust/foo/etc, /cust/foo/bin, /cust/foo/lib. These contain everything the user needs to run and *must* be present. Remember, these accounts are chroot'ed so they do not have access to /bin, /usr/bin, etc. 4. Add some good stuff to /etc/ftpaccess. You must read the documentation on this since there are lots of ways you can get it wrong. Here are some key entries in mine: guestgroup %10000-19999 upload /cust/*/* * no upload /cust/*/* /pub/upload yes * * 2770 noretrieve /cust/*/bin noretrieve /cust/*/etc noretrieve /cust/*/lib noretrieve relative /pub/upload path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^- There are entries in ftpaccess that restrict whether or not you want your users to be able to rename and delete files or not. NOTE: there is a Guest HOWTO at http://www.wu-ftpd.org. Read it. Memorize it. Your system security depends on you getting your setup right. Never allow a user to download a file that's been uploaded unless you manually move it first. If you do, then you've just turned your server into a potential pirate site. In recent versions of wu-ftpd, there are nicer ways to chroot an account than the /./ construct and that will eliminate the requirement for the bin, lib, and etc directories. Use them if you can since it will save you a bit of hassle in the long run (like having 500 copies of tar in your file system that all need to be updated to fix a security hole). Cheers, .../Ed > At 09:15 AM 3/14/2003 -0600, you wrote: > >On Fri, Mar 14, 2003 at 08:23:06AM -0600, Richard Humphrey wrote: > > > I am currently working on setting up our company FTP server. What we are > > > looking for is to set it up with a specified username/password that > > only our > > > distributors have access to. I would like to create 2 directories. The > > first > > > one would be a directory that would allow them to upload files (need write > > > access) and another directory that is read-only. My server is running RH 8 > > > and uses vsftpd. I have read various ways of setting this up, but I am new > > > to Linux and don't really understand which is the best way. Is it best to > > > create a user <ftpuser> and just have them access the home directory? I > > want > > > to allow them to upload, but not rename or delete any of the directories > > > etc. How should I go about this? I know there are similar posts in here > > > about vsftp but not sure how they apply to my situation. > > > >I do this with hundreds of customer accounts with wu-ftpd. If you're > >willing to switch servers to wu-ftpd, drop me an e-mail and I'll let you > >know how I've got things set up. Since I've never used vsftpd, my setup > >may not work in your environment and it's not the kind of thing you can > >afford to get wrong. > > > > .../Ed > > > >-- > >Ed Wilts, Mounds View, MN, USA > >mailto:[EMAIL PROTECTED] > >Member #1, Red Hat Community Ambassador Program > > > -- Ed Wilts, Mounds View, MN, USA mailto:[EMAIL PROTECTED] Member #1, Red Hat Community Ambassador Program -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
