[NTLUG:Discuss] apache problem

David Camm bbai at onramp.net
Thu Jun 15 18:26:46 CDT 2000 

pro-ftp isn't required. what you need to do is define users with:

1. shell as /bin/false (make sure to add this to /etc/shells)

2. home directory as /home/whatever/foo/user/./ - the /./ tells ftpd to
cd to the part before the . and then chroot to it, so the user cannot go
above it. 

in the /etc/passwd file

then, in the /etc/group file create a group called anonftp with these
uids in it.

edit the ftp control files in /etc to recgnize this group as 'guest' ftp

you will also need to create lib, bin, and etc directories in your
users' directories - perhaps a dev directory as well if you're on redhat
4, and populate them with the correct symlinks.  (look at /home/ftp to
see what you need).

this is all documented in the man pages for ftpd.

we have this working for 50 clients, and it works like a champ!

once you get this set up, the permissions become simple - the user is
the owner of their content, and a chmod 644 allows everyone to read. you
can then start apache as root, and let it run as nobody.

Jay Urish wrote:
> 
> At 03:52 PM 6/15/00 , you wrote:
> >On Thu, 15 Jun 2000, Jay Urish wrote:
> >
> > > At 02:50 PM 6/15/00 , you wrote:
> > > >Jay,
> > > >
> > > >Can't you just specify permissions as rwx--x--x for /home/macdade
> > > >and then rwxr-xr-x for home/macdade/www and below?
> > >
> > > I could BUT then other users with ftp access could make it into the dir
> > and
> > > rip of content etc..
> >
> >Generally, group access is used to permit certain users to share
> >files and directories while restricting others.  You could certainly
> >hack something up to work but it might be messy.
> >
> >I think I understand your problem to be that users need to upload
> >files to the webserver but while there they shouldn't see other
> >peoples files, or your password file etc.
> >
> 
> Right!
> 
> >I can't recommend allowing shell access on that machine for at least
> >two reasons - security (such as the problem you are addressing) and
> >system resources.  You really don't want someone solving prime numbers
> >on your webserver.  If you insist, give them a restricted shell.
> >Shell services are best offered on a separate box that you consider a
> >throw away and don't mind reloading regularly.
> 
> Heheh yea, I don't offer shell access, unless you count /bin/false as a
> shell ;)
> 
> >Instead, allow users only ftp access.  To fix your specific problem, I
> >recommend that you discard wu-ftp and use proftp instead.  It is
> >easily configured to restrict users from browsing around on your file
> >structure.  It does this without regard to file permissions.  You can
> >restrict each user to his own home directory just the same way you
> >restrict anonymous ftp users to the anonymous areas.
> 
> Hmm That is an awesome idea. I think I will look into it.
> 
> >And be sure and turn on disk quotas so one person doesn't fill
> >up your entire disk with a movie.
> >
> 
> And that too!
> 
> >Regards,
> >
> >Stephen Denny                                 mailto:sdenny at hex.net
> >Hex.Net Superhighway                             http://www.hex.net
> >
> >
> >
> >
> >
> >_______________________________________________
> >http://ntlug.org/mailman/listinfo/discuss
> 
> Jay Urish
> Network Engineer - Dallas Wide Area Networking L.L.C
> www.dalwan.net
> 
> _______________________________________________
> http://ntlug.org/mailman/listinfo/discuss

More information about the Discuss mailing list