Create ftpusers Files (CIS)

wjs1990 · 01-04-2010, 08:32 PM

Hi all, while i am reading the CIS guide for RHEL, i came across this section, which is on "Create ftpusers Files".

The code:

if [ -f /etc/ftpaccess ]; then
for NAME in `cut -d: -f1 /etc/passwd`; do
if [ `id -u $NAME` -lt 500 ]; then
echo $NAME >> /etc/ftpusers
fi
done
chown root:root /etc/ftpusers
chmod 0600 /etc/ftpusers
echo "diff /etc/ftpusers-preCIS /etc/ftpusers"
diff /etc/ftpusers-preCIS /etc/ftpusers
VSFTP_CONF="/etc/vsftpd/vsftpd.conf"
ALT_CONF="/etc/vsftpd/vsftpd.conf"
test -f $ALT_CONF && VSFTP_CONF=$ALT_CONF
if [ -e $VSFTP_CONF ] && ! grep -q "^userlist_deny=NO" $VSFTP_CONF; then
/bin/cp -fp /etc/ftpusers /etc/vsftpd.ftpusers
chown root:root /etc/vsftpd/vsftpd.conf
chgrp 0600 /etc/vsftpd/vsftpd.conf
[ -e /etc/vsftpd.ftpusers-preCIS ] && echo "diff /etc/vsftpd.ftpusers-preCIS /etc/vsftpd.ftpusers"
[ -e /etc/vsftpd.ftpusers-preCIS ] && diff /etc/vsftpd.ftpusers-preCIS /etc/vsftpd.ftpusers
fi
else
echo "OK - No /etc/ftpaccess to tailor."
fi

But, i don't really know what the code is actually doing. Can anyone care to explain this to me? Thanks.

rweaver · 01-05-2010, 01:44 PM

Quote:

Originally Posted by wjs1990

But, i don't really know what the code is actually doing. Can anyone care to explain this to me? Thanks.

First, try to use [ code ] [ /code ] (sans spaces) tags around code, it makes it a lot easier to read.

The short answer is:

Tests to see if /etc/ftpaccess exists, if so it loops through the password file entries and tests each if its a system account (ie: under 500), if so it adds them to the ftpusers file. Modifies the owner and permissions, does a diff to screen, and verifies that userlist_deny isn't set and copies the ftpusers file to the vsftpd specific file and fixes owner and permissions on that it then shows the differences between the vsftpd specific files and and the precis versions.

eagleheart · 01-05-2010, 01:47 PM

Well, basically,

If there is no /etc/ftpaccess file, do nothing (the last else).
Otherwise, concatenate each system account (uid less than 500) name onto the list in /etc/ftpusers. That prevents any ftp access using those names . Then, tighten up the ownership and permissions on /etc/ftpusers. If you have very safe ftp (vsftp) installed, apply the same changes there. Send a diff report to the terminal of what account names got added .