http://www.itworld.com/nl/unix_sys_adm/07102002/pf_index.html
The FTP-Only Account
Until recently, I didn't think that, short of writing a new shell, providing a Unix account that permitted a user to ftp files back-and-forth while preventing any other actions was possible. The closest thing was anonymous ftp, where a user could transfer files using a username and password (though the username was "anonymous" and the password almost anything at all), but anonymous ftp doesn't provide a user with his own file space and this might easily be a requirement.
I was wrong. It is possible to create an FTP-only account and, further, the method by which this can be done is well within the realm of what I should have realized all along was possible. It combines two small pieces of Unix know-how or "tricks".
The first "trick" to setting up an account of this sort is to assign the user a shell that doesn't exist. That's right. There's no need to create a program or even touch a file. Simply insert the string of your choice into the shell field of the /etc/passwd file. This keeps the user from being able to log in to the system. If he tries to telnet in to the system, for example, he gets a "no shell" error like what is shown below. In fact, almost anything he might try to do, even running a remote shell command, will balk at the invalid shell. In this example, we've named our ftp-only user "ftponly" and set his shell to /bin/noop. Notice how he is denied access because the shell associated with his account doesn't exist.
------------------------------ cut here -------------------------------- # telnet dragonfly Trying 10.10.10.10... Connected to dragonfly.dragonflyditch.com. Escape character is '^]'.
SunOS 5.8
login: ftponly
Password: Last login: Sat Jun 29 23:38:08 from dragonfly.dragon No shell Connection closed by foreign host. ------------------------------ cut here --------------------------------
When the ftp-only user tries the ftp command, on the other hand, the system checks that his shell is in the /etc/shells file and checks nothing else. That's right. Since the ftp command does not require anything from the user's environment in order to transfer files in either direction, no further checking is done. Ftp sessions are, in fact, one of the few user connections that do not establish the user's working environment.
Let's watch the ftp-only user connect to the system with ftp.
------------------------------ cut here -------------------------------- $ ftp dragonfly Connected to dragonfly.dragonflyditch.com. 220 dragonfly FTP server (SunOS 5.
ready. Name (dragonfly:root): ftponly 331 Password required for ftponly. Password: 230 User ftponly logged in. ftp> ls 200 PORT command successful. 150 ASCII data connection for /bin/ls (10.10.10.10,32817) (0 bytes). sandrich.pdf 226 ASCII Transfer complete. 14 bytes received in 0.039 seconds (0.35 Kbytes/s) ftp> ------------------------------ cut here --------------------------------
Clearly the ftp session was successful. The user logged in and prepared to transfer a file. Nothing about the ftp session, in fact, appears out of the ordinary.
The /etc/passwd entry for our ftp-only user looks like this:
ftponly
:106:10:FTP Only:/export/home/ftponly:/bin/noop
The only unusual thing about this /etc/passwd line is the shell and just about anything could be used, though it probably needs to look like a Unix pathname to prevent any other command from concluding that the /etc/passwd file has an invalid format.
Knowing this trick, I might have worked my way out of those couple of instances where I or someone else introduced a typo into root's shell and could not login as root or use root privilege through any means until I had booted the system from a CD and corrected the problem - but only if I had typed a line which just happened to exist in the /etc/shells file or somehow left that file open to writes by some other user -- ehh, not likely, I guess.
| zza 回复于:2003-04-16 17:43:41 |
| 很好用的方法,赶快去试一下…… |
| hmkart 回复于:2003-04-17 08:08:55 |
| 没看懂,楼主可以少做翻译吗?
这到底是说 /etc/passwd中加用户存在安全问题, 还是可以直接编辑/etc/passwd文件来添加ftp用户呢? 谢谢! |
| race 回复于:2003-04-17 08:37:53 |
| 仔细看了就知道,其实就一行管用,编辑/etc/passwd文件加入:
ftponly :106:10:FTP Only:/export/home/ftponly:/bin/noop
我按着这个文章做了,该文没提到的部分做个补充。 还需要产生这个目录,mkdir -p /export/home/ftponly 执行 # pwconv 在/etc/sgadow里面产生了ftponly用户信息 # passwd ftponly 给其分配一个口令。 # vi /etc/shells 加入一行 /bin/snoop 然后再执行telnet和ftp就达到效果了。 这个文章是一个从事18年UNIX系统管理的一个女士写的文章,她的其他文章可以去这里查 http://www.itworld.com/nl/unix_sys_adm/ |
| 谷仓猫 回复于:2003-04-20 20:21:31 |
| # vi /etc/shells
加入一行 /bin/snoop 这样的shell等于空吧? 可FTP和TELNET一样都是需要SHELL的啊,还是SNOOP这个名字本身有说法? |
| 星爷 回复于:2003-04-22 16:29:09 |
| 不对啊,/etc没有shells这个文件啊,用ftp总是提示口令不对,不行啊
为什么? |
| diag 回复于:2003-04-22 16:58:29 |
| 能不能和 LINUX 样。 //bin/false |
| beginner-bj 回复于:2003-04-22 19:22:32 |
| 就一句话!
1.8 如何让一个用户只能ftp而无法telnet A: 小四 <cloudsky@263.net> 修改该用户在/etc/passwd中的shell为/bin/false,在/etc/shells文件中增加 /bin/false,此时,该用户只能ftp,telnet失败。 |
| woodie 回复于:2003-04-24 15:21:25 |
| rt |
| eagle_zxs 回复于:2003-07-09 21:15:09 |
| 我试了一下,可以达到这样的效果,呵呵!! |
| eagle_zxs 回复于:2003-07-09 21:20:35 |
| 提示ftp时login incorrect是由于你没有编辑shells这个文件,在shells里面加入你所想用的ftp登录的shells即可 |
延伸阅读
文章来源于领测软件测试网 https://www.ltesting.net/
