Path: utzoo!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!rpi!ispd-newsserver!garden!weimer
From: weimer@garden.kodak.COM (Gary Weimer (588-0953))
Newsgroups: comp.unix.misc
Subject: Re: Restricted FTP
Message-ID: <1991Mar11.185514.2472@ssd.kodak.com>
Date: 11 Mar 91 18:55:14 GMT
References: <91065.181715GUTEST6@cc1.kuleuven.ac.be>
Sender: news@ssd.kodak.com
Reply-To: weimer@ssd.kodak.com
Organization: Eastman Kodak Co.; Rochester, NY
Lines: 30


In article <91065.181715GUTEST6@cc1.kuleuven.ac.be>,
GUTEST6@cc1.kuleuven.ac.be (Kris Van Hees) writes:
|> We are installing a restricted user system, for local users who want to
|> download.  Now, these users are placed in a restricted shell, to avoid
|> security problems.  Althought it isn't a problem, there might be a leak
|> through FTP (we just don't know).  To decrease this chance we are looking
|> for a restricted version of FTP.  Is such existing and where?

Assuming you mean you want a restricted FTP for users to ftp FROM your
machine:
Normal FTP can be a problem because users can use the ! to run anything
in bourne shell (or the shell specified by the environment variable SHELL).
IF you have source, a quick fix would be to put a return at the top of
function used to execute shell commands (printing an error message is
optional). lcd and other commands may also be a problem. Forcing users
to ftp TO your machine (limit access to ftp) could avoid all these
problems.

Assuming you mean you want a restricted FTP for users to ftp TO your
machine:
You actually want a restricted ftpd (the ftp daemon). As mentioned by
someone else, you can use anonymous ftp for this. In my case, I
wanted anonymous ftp AND I wanted to restrict a specific user who I also
required a password from. To accomplish this, I set the guest flag to
true after getting the password for that account (this requires source
code). This causes the ftpd to perform the chroot for this account as
well as anonymous ftp.

weimer@ssd.kodak.com ( Gary Weimer )