Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Securing and Optimizing Linux: RedHat Edition -A Hands on Guide
PrevChapter 32. Linux FTP ServerNext

32.2. Setup an FTP user account minus shells

It's important to give to your strictly FTP users no real shell account on the Linux system. In this manner, if for any reasons someone could successfully get out of the FTP chrooted environment, it would not have the possibility of executing any user tasks since it doesn't have a bash shell. First, create new users for this purpose;

These users will be the users allowed to connect to your FTP server.

This has to be separate from a regular user account with unlimited access because of how the chroot environment works. Chroot makes it appear from the user's perspective as if the level of the file system you've placed them in is the top level of the file system.

Use the following command to create users in the /etc/passwd file. This step must be done for each additional new user you allow to access your FTP server. 
        [root@deep ] /# mkdir /home/ftp
        [root@deep ] /# useradd -d /home/ftp/ftpadmin/ -s /dev/null ftpadmin > /dev/null 2>&1
        [root@deep ] /# passwd ftpadmin
      

        Changing password for user ftpadmin
        New UNIX password:
        Retype new UNIX password:
        passwd: all authentication tokens updated successfully

  • The mkdir command will create the ftp directory under the /home directory to handle all FTP users' home directories we'll have on the server.

  • The useradd command will add the new user named ftpadmin to our Linux server.

  • Finally, the passwd command will set the password for this user ftpadmin.

Once the home/ftp/ directory has been created you don't have to use this command again for additional FTP users.

  1. Edit the /etc/shells file, vi /etc/shells and add a non-existent shell name like null, for example. This fake shell will limit access on the system for FTP users. 
              [root@deep ] /# vi /etc/shells
        
    
          /bin/bash
          /bin/sh
          /bin/ash
          /bin/bsh
          /bin/tcsh
          /bin/csh
          /dev/null
    /dev/null, This is our added no-existent shell. With Red Hat Linux, a special device name /dev/null exists for purposes such as these.

  2. Now, edit your /etc/passwd file and add manually the /./ line to divide the /home/ftp directory with the /ftpadmin directory where the user ftpadmin should be automatically chdir'd to. This step must be done for each FTP user you add to your passwd file. 
              ftpadmin:x:502:502::/home/ftp/ftpadmin/:/dev/null
    To read: 
              ftpadmin:x:502:502::/home/ftp/./ftpadmin/:/dev/null
          ^^
    The account is ftpadmin, but you'll notice the path to the home directory is a bit odd. The first part /home/ftp/ indicates the filesystem that should be considered their new root directory. The dot . divides that from the directory they should be automatically chdir'd. change directory'd into, /ftpadmin/.

Once again, the /dev/null part disables their login as a regular user. With this modification, the user ftpadmin now has a fake shell instead of a real shell resulting in properly limited access on the system.

PrevHomeNext
chroot'd Guest FTP accessUpSetup a chroot user environment
  
 
  Published under the terms of the Open Publication License Design by Interspire