Open a user for FTP Access

James Wyatt jwyatt at RWSystems.net
Thu Aug 5 07:43:29 PDT 2004 

  On Thu, 5 Aug 2004, Spidey Knepscheld wrote:
> Hi Guys
> 
> This is another stupid question from me but I would like to know how do
> I give a guy access to his web directory for updates of his www. I know
> how to open users but not how to give that user access to ftp to his
> directory.
  	[ ... ]

Not a stupid question, but I'll bet we get a stupid answer somewhere... 
semi-private joke - will answer or discuss by direct email if needed.)

>From your description, you don't need many users. If you do, then you 
should look at either using the PAM support in FreeBSD to offload FTP 
users to an SQL or LDAP table or at FTP servers that support SQL or LDAP 
directly. The FreeBSD FTP server does this well. So do some others.

It sounds like you don't completely trust your web user either. (^_^)

An FTP server that supports "chrooting" lets your user see *just* their 
directory and "lower". They can't see anything "above" it to look for 
security holes or put files in places you don't want. The FreeBSD FTP 
server supports chrooting easily - you can either put the user in the 
/etc/ftpchroot file or put them in a group in that file.

I would also configure the web server not to run scripts in the user 
directories. Otherwise they can upload a script that gets around the 
security added with chroot. Apache does this well too.

fwiw: Your description also implies you have a low usage, so having ftpd 
start using inetd.conf is fine. If you have lots of FTP connects, you 
should run ftpd as a separate daemon.

You might look at "man ftpd" to see what options are available. You might 
add the h, ll, t, flags to the inetd.conf entry. It will print less 
banner, log more user actions, add a 15 minute idle delay.

The FreeBSD folks have put a lot of work into the FTP server and it shows. 
I use others on other servers, but usually leave the FreeBSD FTP server 
intact. With PAM, chroot, and other features, it rocks! There is nothing I 
see in your requirements that drives you to build, install, configure, and 
support another FTP server and track an entire extra set of security 
advisories. You are already in very good hands.

More information about the freebsd-isp mailing list