Limiting the directory tree for certain ftp users

REFERENCE: man ftpaccess

Note: for anoymous ftp users see this at Freebird.org

If you wish to limit the directory access for users other than "anonymous" You need to do three things

make their shell some phony shell - in the /etc/passwd file the last entry for a user's record is their shell. Usually this is /bin/bash or /bin/sh or /bin/tcsh, etc. If you want to prevent someone from having telnet access, an easy thing to do is to give them some shell that doesn't exist. /bin/ftponly is a name I use in this situation. Note, you can make a /bin/ftponly file that simply is a shell script that prints a message like "You do not have telnet access, only ftp access" and then exits.
IMPORTANT! If you do make up a phony shell, and you want to give the user who has this phony shell ftp access, you MUST list the phony shell in /etc/shells ( See the bottom of This page for my rantings about allowing ftp access for tcsh users on Solaris for more )
Put the user in a special group. I usually make a group called ftpguest. Make an entry in /etc/group that looks like this
```
	ftpguest::400:bob,tom,bill
     
```
The group # is almost irrelevant, just make sure no other group has that number. The users who are in this group are bob tom and bill.
In the /etc/passwd file you should make the primary group of those users be the ftpguest group. The group # is the second number in the user's passwd record. For example:
```
	    bob:x:502:400:Bob Smith:/home/bob/.:/bin/ftponly
	
```
The 502 is bob's userid and the 400 of course matches the group # specified above.
NOTE: the home directory is listed as "/home/bob/." It is relevant that this ends in /. - What it says is the home is /home/bob and that this should be treated as the root directory in the tree seen by bob when he logs in through ftp. User bob will not be able to do a "cd .." to get out of /home/bob. If he does a "cd .." or a "cd /" he will stay in /home/bob
Finally, your /etc/ftpaccess file should contain these lines ( note, this is the part I'm shaky on. These are the only relevant lines that I found in my ftpaccess file when I finally got this working )
```
	# path-filter...
	path-filter  anonymous  /etc/pathmsg  ^[-A-Za-z0-9_\.]*$  ^\.  ^-
	path-filter  guest      /etc/pathmsg  ^[-A-Za-z0-9_\.]*$  ^\.  ^-

	# specify which group of users will be treated as "guests".
	guestgroup ftpguest

	
```
Return to Gene's Home Page
Return to Gene's Random Unix Crap