Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi all,
Need your help again. Is it possible to create an ftp user without giving him a login shell? Because when I configure a ftp account without shell he cant access the shared location. As soon as I change the shell to a valid shell then it works.
Thanks.
I have the same experience. I don't know what the reason is why you're asking it.
If you want to prevent remote access by certain users, you can use ssh and disable telnet. With SSH, you can allow specific users access to the box.
If you want to prevent local access, I don't know a solution.
Distribution: Red Hat CentOS Ubuntu FreeBSD OpenSuSe
Posts: 252
Rep:
Quote:
Originally Posted by tanveer
Hi all,
Need your help again. Is it possible to create an ftp user without giving him a login shell? Because when I configure a ftp account without shell he cant access the shared location. As soon as I change the shell to a valid shell then it works.
Thanks.
What do you really want to do with your ftp users? Do you want them to access only the box using ftp?
You might consider this setup.
1. Disable telnet
2. Enable ssh to specific users only and group only.
3. Jail ftp users to their home directory only.
Even they have a login shell, they can access only the box via ftp.
Update:
I assume that your main concern is not allowing regular logins for ftp users with accounts (non-anonymous).
I configured vsftp on my laptop. I already had added a user "testuser". I changed the home directory entry to /srv/ftp/users. I created this directory with "a=rwxt" permissions.
Then I modified this account disabling it (the password entry starts with an exclamation point in /etc/shadow). FTP logins are not allowed then.
Next I enabled the account but changed the default shell entry to /bin/false. FTP logins are possible for "testuser". If testuser tries to log in, it will log out right away.
Thanks all for answering.
You are right jschiwal, Why should I give a ftp user login shell where his only concern is to download/upload file. I m also using vsftpd and changed the directory of the ftp user to /usr/local/apache2/htdocs so that he can upload/download files for the web project. I also setup chroot jail for the user.
Now when I create this user with a bogus shell ftp doesn't work. Even if after creating the user with valid shell then if I change the shell entry in /etc/passwd to a bogus one then ftp doesn't work.
should I give the directory permission to a=rwxt and change the shell in /etc/passwd ?
Thanks all for answering.
You are right jschiwal, Why should I give a ftp user login shell where his only concern is to download/upload file. I m also using vsftpd and changed the directory of the ftp user to /usr/local/apache2/htdocs so that he can upload/download files for the web project. I also setup chroot jail for the user.
Now when I create this user with a bogus shell ftp doesn't work. Even if after creating the user with valid shell then if I change the shell entry in /etc/passwd to a bogus one then ftp doesn't work.
should I give the directory permission to a=rwxt and change the shell in /etc/passwd ?
Set ftp shell to /bin/passwd (Whatever your passwd binary exists) and place that in /etc/shells.
That should allow them to telnet to the host to CHANGE the password if they need to while preventing them an interactive login shell. This will still allow ftp access, and you may need to disable root jailing or add the ftp user to the chroot user config.
I used /bin/false for the default shell, and tested it. It worked for me. Try using "sudo /usr/sbin/usermod -s /bin/false <username>" and run your test again. Make sure that the account is enabled: "sudo /usr/sbin/usermod -U <username>". About the permissions, the users need to have write access to the partition. You could use group membership instead to control access. This could prevent a local regular user from accessing files on /usr/local/apache2/htdocs. This part is a regular permissions issue. You can also use acls to control access. The commands "setfacl" and "getfacl" can be used for this. The filesystem needs to be a native linux type to allow this. The sticky bit prevents one user from deleting the files created by another user. Maybe that isn't what you want. It is how the /tmp directory is set up.
Two things that can cause a problem are your selinux or apparmor configuration. If you are using RHEL or FC that is something to check.
Also check /etc/hosts.deny and /etc/hosts.allow and see if vsftp is one of the controlled services. Since PAM is used for authentication, that could be involved as well, however if regular authentication seems to work, I doubt if PAM or /etc/hosts.{allow,deny} would be the cause.
Set ftp shell to /bin/passwd (Whatever your passwd binary exists) and place that in /etc/shells.
That should allow them to telnet to the host to CHANGE the password if they need to while preventing them an interactive login shell. This will still allow ftp access, and you may need to disable root jailing or add the ftp user to the chroot user config.
I hadn't thought about /bin/passwd. I haven't tested it but the "telnet" part is a terrible idea. Maybe you meant to say ssh. Make an association in your mind: telnet server <-> evil.
---
Update: I did change the default shell for "testuser" to /usr/bin/passwd and accessed my laptop via ssh. It worked. I was able to change the password. After the change, the user is logged off.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.