Securing and Optimizing Linux: RedHat Edition -A Hands on Guide | ||
---|---|---|
Prev | Chapter 32. Linux FTP Server | Next |
It's important to give to your strictly FTP users no real shell account on the Linux system. In this manner, if for any reasons someone could successfully get out of the FTP chrooted environment, it would not have the possibility of executing any user tasks since it doesn't have a bash shell. First, create new users for this purpose;
These users will be the users allowed to connect to your FTP server. |
Use the following command to create users in the /etc/passwd file. This step must be done for each additional new user you allow to access your FTP server.
[root@deep ] /# mkdir /home/ftp [root@deep ] /# useradd -d /home/ftp/ftpadmin/ -s /dev/null ftpadmin > /dev/null 2>&1 [root@deep ] /# passwd ftpadmin |
Changing password for user ftpadmin New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully |
The mkdir command will create the ftp directory under the /home directory to handle all FTP users' home directories we'll have on the server.
The useradd command will add the new user named ftpadmin to our Linux server.
Finally, the passwd command will set the password for this user ftpadmin.
Edit the /etc/shells file, vi /etc/shells and add a non-existent shell name like null, for example. This fake shell will limit access on the system for FTP users.
[root@deep ] /# vi /etc/shells |
/bin/bash /bin/sh /bin/ash /bin/bsh /bin/tcsh /bin/csh /dev/null |
Now, edit your /etc/passwd file and add manually the /./ line to divide the /home/ftp directory with the /ftpadmin directory where the user ftpadmin should be automatically chdir'd to. This step must be done for each FTP user you add to your passwd file.
ftpadmin:x:502:502::/home/ftp/ftpadmin/:/dev/null |
ftpadmin:x:502:502::/home/ftp/./ftpadmin/:/dev/null ^^ |
Once again, the /dev/null part disables their login as a regular user. With this modification, the user ftpadmin now has a fake shell instead of a real shell resulting in properly limited access on the system.