From chris on Fri, 29 Jan 1999
i was recently reading your article in the december issue of linuxgazzette regarding setting up users for FTP access only. [titled "FTP Login as 'root' --- Don't! -- Heather] i ran into this problem about a month ago and putting a * in front of the password entry in the /etc/passwd file fixed the problem. no telnet/login access, but ftp access. is there something i dont know that prevents this from being a simple solution?
"Starring out" the password field (the one between the second and third colons on that users line in /etc/passwd) should also prevent FTP access (unless your FTP daemon uses some other form of account management and authentication).
Locking out the "shell" field (the last one) by setting it to /bin/false (if /bin/false is actually a compiled binary --- NOT the traditional shell script) or to a simple compiled program that does a 'printf()' or 'write()' and an 'exit()') will prevent telnet access. However it might not prevent 'rsh' and it certainly won't limit the user "just" to FTP.
The clever user can post all sorts of .forward, .procmail and other files to his or her home directory (using FTP) and these "magic" files can be used to run arbitrary commands (generally under that user's ID) on behalf of the user. Thus I could post a .forward file that "forwarded" my mail through a program (using the piping feature that most installations of 'sendmail' are configured to support). My program can issue commands like 'chsh' (to change my shell to something that I can use).
There are many "magic" files. I can use FTP to create a .ssh directory and put in the .ssh/authorized_keys which will then let me 'ssh' into the system (if you're running an ssh daemon). Not only are there many of these --- but more of them are added as we create new protocols and services.
So, you really need to do more than just set their shell to '/usr/local/bin/noshell' or 'goaway' or '/bin/sync' That's why I suggest using a replacement to the standard old BSD FTP daemon. Go read the article again for that.