We get a number of requests for users to have FTP only access to servers so data can be moved about.
This is how we go about setting the accounts up......
1. Check the path the account needs access to - specifically the Group ownership.
2. Create account:
useradd -u <userid> -g <group> -d <homedir> -s <shell> -c "<account description>" -m <username>
userid - choose a free user number (check which userid's are free by cat /etc/passwd).
group - the group id that has access to the files.
homedir - path to the required FTP root (/mount_point/folder1/folder2)
shell - set to /bin/true
account description - some information about the account
username - friendly name for the user to type in
The following held true for our Solaris 9 servers:
If it is the first FTP account created on the machine then the following files will need to be added - /etc/shells & /bin/true
NOTE: On our Solaris 10 servers the true file was in the /usr/bin path.....
3. Edit the file /etc/ftpd/ftpaccess - look for the "# guestuser" line and add accordingly underneath, the format is "guestuser <tab> <userid>"
4. Run ftpconfig -d <ftp-root-path>
e.g. ftpconfig -d /mount_point/folder1/folder2
This will add extra system directories to the given path and prevent traversal.
No comments:
Post a Comment