It's important to give to your strictly FTP users no real shell account on the Linux system. In this manner, if for any reasons someone could successfully get out of the FTP chrooted environment, it would
not have the possibility of executing any user tasks since it doesn't have a bash shell. First, create new users for this purpose;
These users will be the users allowed to connect to your FTP server.
|
This has to be separate from a regular user account with unlimited access because of how the chroot environment works. Chroot makes it appear from the user's perspective as if the level of the file system you've placed them
in is the top level of the file system.
Use the following command to create users in the /etc/passwd file. This step must be done for each additional new user you allow to access your FTP server.
[root@deep ] /# mkdir /home/ftp
[root@deep ] /# useradd -d /home/ftp/ftpadmin/ -s /dev/null ftpadmin > /dev/null 2>&1
[root@deep ] /# passwd ftpadmin
Changing password for user ftpadmin
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully
The mkdir command will create the
ftpdirectory under the/homedirectory to handle allFTPusers' home directories we'll have on the server.The useradd command will add the new user named
ftpadminto our Linux server.Finally, the passwd command will set the password for this user
ftpadmin.
Once the home/ftp/ directory has been created you don't have to use this command again for additional FTP users.
Edit the
/etc/shellsfile, vi/etc/shellsand add a non-existent shell name likenull, for example. This fake shell will limit access on the system forFTPusers.[root@deep ] /# vi /etc/shells/bin/bash /bin/sh /bin/ash /bin/bsh /bin/tcsh /bin/csh /dev/null/dev/null, This is our added no-existent shell. With Red Hat Linux, a special device name/dev/nullexists for purposes such as these.Now, edit your
/etc/passwdfile and add manually the/./line to divide the/home/ftpdirectory with the/ftpadmindirectory where the userftpadminshould be automatically chdir'd to. This step must be done for eachFTPuser you add to yourpasswdfile.ftpadmin:x:502:502::/home/ftp/ftpadmin/:/dev/nullTo read:
ftpadmin:x:502:502::/home/ftp/./ftpadmin/:/dev/null ^^The account is
ftpadmin, but you'll notice the path to the home directory is a bit odd. The first part/home/ftp/indicates the filesystem that should be considered their new root directory. The dot.divides that from the directory they should be automatically chdir'd. change directory'd into,/ftpadmin/.
Once again, the /dev/null part disables their login as a regular user. With this modification, the user ftpadmin now has a fake shell instead of a real shell resulting in properly limited access on the system.