* ftp and shell access
@ Deedra Waters
` Adam Myrow
` (3 more replies)
0 siblings, 4 replies; 13+ messages in thread
From: Deedra Waters @ UTC (permalink / raw)
To: speakup
I know this can be done, but I'm wondering how to give users ftp access,
but not shell access, if someone can tell me how to do this I'd
appreciate it.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: ftp and shell access
ftp and shell access Deedra Waters
@ ` Adam Myrow
` Deedra Waters
` Doug Lawlor
` (2 subsequent siblings)
3 siblings, 1 reply; 13+ messages in thread
From: Adam Myrow @ UTC (permalink / raw)
To: speakup
The advice I've always heard on this is to set their shell to /bin/false.
I don't know how well this works, but I assume they'd get a login screen
and then immediately exit. If anybody has a better approach, speak up!
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: ftp and shell access
ftp and shell access Deedra Waters
` Adam Myrow
@ ` Doug Lawlor
` Doug Lawlor
` Ryan Mann
3 siblings, 0 replies; 13+ messages in thread
From: Doug Lawlor @ UTC (permalink / raw)
To: speakup
On Sat, Apr 27, 2002 at 11:54:32PM -0400, Deedra Waters wrote:
> I know this can be done, but I'm wondering how to give users ftp access,
> but not shell access, if someone can tell me how to do this I'd
> appreciate it.
When you create an account for the user make sure that there is no shell
for that user in the /etc/passwd file.
Doug
--
Doug Lawlor <dlawlor@roadrunner.nf.net>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: ftp and shell access
ftp and shell access Deedra Waters
` Adam Myrow
` Doug Lawlor
@ ` Doug Lawlor
` Raul A. Gallegos
` Ryan Mann
3 siblings, 1 reply; 13+ messages in thread
From: Doug Lawlor @ UTC (permalink / raw)
To: speakup
Disregard my last message. I tried this on my system and it isn't
working here at the moment.
Doug
--
Doug Lawlor <dlawlor@roadrunner.nf.net>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: ftp and shell access
` Adam Myrow
@ ` Deedra Waters
` Toby Fisher
` Janina Sajka
0 siblings, 2 replies; 13+ messages in thread
From: Deedra Waters @ UTC (permalink / raw)
To: speakup
That worked. I was hoping for something that wouldn't let them log in at
all, but if this does the same thing then I won't complain.:p Thank you
On Sat, 27 Apr 2002, Adam Myrow wrote:
> The advice I've always heard on this is to set their shell to /bin/false.
> I don't know how well this works, but I assume they'd get a login screen
> and then immediately exit. If anybody has a better approach, speak up!
>
>
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: ftp and shell access
` Deedra Waters
@ ` Toby Fisher
` Janina Sajka
1 sibling, 0 replies; 13+ messages in thread
From: Toby Fisher @ UTC (permalink / raw)
To: speakup
On Sun, 28 Apr 2002, Deedra Waters wrote:
> That worked. I was hoping for something that wouldn't let them log in at
> all, but if this does the same thing then I won't complain.:p Thank you
If you don't want anyone else to have shell access, you could always shut
down the telnet daemon. If not, then maybe you can use hosts.deny and
hosts.allow if you know the ip addresses of those you want to either allow
or deny shell access.
HTH
--
Toby Fisher Email: toby@g0ucu.freeserve.co.uk
Tel.: +44(0)1480 417272 Mobile: +44(0)7974 363239
ICQ: #61744808
Please avoid sending me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: ftp and shell access
` Doug Lawlor
@ ` Raul A. Gallegos
` Kerry Hoath
` Deedra Waters
0 siblings, 2 replies; 13+ messages in thread
From: Raul A. Gallegos @ UTC (permalink / raw)
To: speakup
This is almost correct. Create a new login shell for example /bin/false in
/bin/false put the commands:
#!/bin/bash
echo "no shell access available."
logout
Now add /bin/false to the list of possible shells in /etc/shells and when
you create the new account give it a shell of /bin/false.
NOw they can access ftp only but not log into any shell.
----- Original Message -----
From: "Doug Lawlor" <dlawlor@roadrunner.nf.net>
To: <speakup@braille.uwo.ca>
Sent: Sunday, April 28, 2002 12:32 AM
Subject: Re: ftp and shell access
> Disregard my last message. I tried this on my system and it isn't
> working here at the moment.
>
> Doug
>
>
> --
> Doug Lawlor <dlawlor@roadrunner.nf.net>
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: ftp and shell access
` Raul A. Gallegos
@ ` Kerry Hoath
` Raul A. Gallegos
` Deedra Waters
1 sibling, 1 reply; 13+ messages in thread
From: Kerry Hoath @ UTC (permalink / raw)
To: speakup
This is a particularly bad idea.
/bin/false is actually part of the GNU shell utilities
and does nothing, silently and returns a non-zero exit code.
It is a utility called from shell scripts so making a shellscript called /bin/false
that generates output will cause various things to fail noisily
and unpredictably.
Regards, Kerry.
On Sun, Apr 28, 2002 at 04:03:31AM -0500, Raul A. Gallegos wrote:
> This is almost correct. Create a new login shell for example /bin/false in
> /bin/false put the commands:
>
> #!/bin/bash
> echo "no shell access available."
> logout
>
> Now add /bin/false to the list of possible shells in /etc/shells and when
> you create the new account give it a shell of /bin/false.
> NOw they can access ftp only but not log into any shell.
>
>
> ----- Original Message -----
> From: "Doug Lawlor" <dlawlor@roadrunner.nf.net>
> To: <speakup@braille.uwo.ca>
> Sent: Sunday, April 28, 2002 12:32 AM
> Subject: Re: ftp and shell access
>
>
> > Disregard my last message. I tried this on my system and it isn't
> > working here at the moment.
> >
> > Doug
> >
> >
> > --
> > Doug Lawlor <dlawlor@roadrunner.nf.net>
> >
> > _______________________________________________
> > Speakup mailing list
> > Speakup@braille.uwo.ca
> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >
>
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
--
Kerry Hoath: kerry@gotss.net kerry@gotss.eu.org or kerry@gotss.spice.net.au
ICQ: 8226547 msn: kerry@gotss.net Yahoo: kerryhoath@yahoo.com.au
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: ftp and shell access
` Kerry Hoath
@ ` Raul A. Gallegos
` Igor Gueths
0 siblings, 1 reply; 13+ messages in thread
From: Raul A. Gallegos @ UTC (permalink / raw)
To: speakup
HMM, You learn something new every day. I was not aware of that. Thanks for
the tidbit.
----- Original Message -----
From: "Kerry Hoath" <kerry@gotss.net>
To: <speakup@braille.uwo.ca>
Sent: Sunday, April 28, 2002 4:22 AM
Subject: Re: ftp and shell access
> This is a particularly bad idea.
> /bin/false is actually part of the GNU shell utilities
> and does nothing, silently and returns a non-zero exit code.
> It is a utility called from shell scripts so making a shellscript called
/bin/false
> that generates output will cause various things to fail noisily
> and unpredictably.
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: ftp and shell access
` Deedra Waters
` Toby Fisher
@ ` Janina Sajka
1 sibling, 0 replies; 13+ messages in thread
From: Janina Sajka @ UTC (permalink / raw)
To: speakup
"Something that doesn't let them log in?" Are you referring to anonymous ftp? You need to be careful with anonymous ftp
as there are many known attacks based on it.
You need to run an ftp server, of course. Go to /usr/doc and look for what particular one your distribution installed.
With Red Hat systems this would be wu-ftpd, which includes an excellent HOWTO on setting up security for anonymous ftp
logins, as well for securing "guest" access, meaning named users with their own passwords.
If you are talking about named users, you should read about hosts.allow and hosts.deny. which can define what services
users are provided.
If you're not thinking of anything that elaborate, just don't assign accounts. You don't need an account for anonymous
ftp access.
Of course, there's little reason these days to run a telnet server. If you're doing that, stop doing it.
On Sun, 28 Apr 2002, Deedra Waters wrote:
> That worked. I was hoping for something that wouldn't let them log in at
> all, but if this does the same thing then I won't complain.:p Thank you
>
>
> On Sat, 27 Apr 2002, Adam Myrow wrote:
>
> > The advice I've always heard on this is to set their shell to /bin/false.
> > I don't know how well this works, but I assume they'd get a login screen
> > and then immediately exit. If anybody has a better approach, speak up!
> >
> >
> >
> > _______________________________________________
> > Speakup mailing list
> > Speakup@braille.uwo.ca
> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >
>
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
--
Janina Sajka, Director
Technology Research and Development
Governmental Relations Group
American Foundation for the Blind (AFB)
Email: janina@afb.net Phone: (202) 408-8175
Chair, Accessibility SIG
Open Electronic Book Forum (OEBF)
http://www.openebook.org
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: ftp and shell access
ftp and shell access Deedra Waters
` (2 preceding siblings ...)
` Doug Lawlor
@ ` Ryan Mann
3 siblings, 0 replies; 13+ messages in thread
From: Ryan Mann @ UTC (permalink / raw)
To: speakup
You could change the user's shell to something like /bin/false and put
/bin/false in /etc/shells. That way the user has an account, but they
can't log in and get a shell prompt.
On Sat, 27 Apr 2002, Deedra Waters
wrote:
> I know this can be done, but I'm wondering how to give users ftp access,
> but not shell access, if someone can tell me how to do this I'd
> appreciate it.
>
>
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: ftp and shell access
` Raul A. Gallegos
` Kerry Hoath
@ ` Deedra Waters
1 sibling, 0 replies; 13+ messages in thread
From: Deedra Waters @ UTC (permalink / raw)
To: speakup
I took your suggestion, and changed the file name, and put it in /bin, and
I got it to work.
On Sun, 28 Apr 2002, Raul A. Gallegos wrote:
> This is almost correct. Create a new login shell for example /bin/false in
> /bin/false put the commands:
>
> #!/bin/bash
> echo "no shell access available."
> logout
>
> Now add /bin/false to the list of possible shells in /etc/shells and when
> you create the new account give it a shell of /bin/false.
> NOw they can access ftp only but not log into any shell.
>
>
> ----- Original Message -----
> From: "Doug Lawlor" <dlawlor@roadrunner.nf.net>
> To: <speakup@braille.uwo.ca>
> Sent: Sunday, April 28, 2002 12:32 AM
> Subject: Re: ftp and shell access
>
>
> > Disregard my last message. I tried this on my system and it isn't
> > working here at the moment.
> >
> > Doug
> >
> >
> > --
> > Doug Lawlor <dlawlor@roadrunner.nf.net>
> >
> > _______________________________________________
> > Speakup mailing list
> > Speakup@braille.uwo.ca
> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >
>
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: ftp and shell access
` Raul A. Gallegos
@ ` Igor Gueths
0 siblings, 0 replies; 13+ messages in thread
From: Igor Gueths @ UTC (permalink / raw)
To: speakup
Hi. I would say shut down the telnetd and make sure it doesn't start by
editing /etc/inetd.conf. That way nobody has telnet access at all. The
exception would be if the user has access to the physical machine. In
other words, a neighbor.
On Sun, 28 Apr 2002, Raul A. Gallegos wrote:
> HMM, You learn something new every day. I was not aware of that. Thanks for
> the tidbit.
> ----- Original Message -----
> From: "Kerry Hoath" <kerry@gotss.net>
> To: <speakup@braille.uwo.ca>
> Sent: Sunday, April 28, 2002 4:22 AM
> Subject: Re: ftp and shell access
>
>
> > This is a particularly bad idea.
> > /bin/false is actually part of the GNU shell utilities
> > and does nothing, silently and returns a non-zero exit code.
> > It is a utility called from shell scripts so making a shellscript called
> /bin/false
> > that generates output will cause various things to fail noisily
> > and unpredictably.
> >
>
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~ UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
ftp and shell access Deedra Waters
` Adam Myrow
` Deedra Waters
` Toby Fisher
` Janina Sajka
` Doug Lawlor
` Doug Lawlor
` Raul A. Gallegos
` Kerry Hoath
` Raul A. Gallegos
` Igor Gueths
` Deedra Waters
` Ryan Mann
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).