RS Wood wrote: > I run a small engineering company* that exchanges large files (CAD, > etc.) with clients, and I want to keep the docs off my email server by > setting up a stand alone FTP server where each client can upload and > download its relevant files. As such, my own users/employees should be > able to reach every client’s FTP space but each client should only be > able to reach his own. As my users finish a doc, they place it in that > client’s FTP directory and the client can log in and get it. As such, > I don’t want any form of unauthenticated FTP. > > I’ve tried different combinations of group names and directory > permissions without success, but chrooting users doesn’t seem to solve > my problem either, and my two favorite BSD books – Tiemann et. al. > (Unleashed) and Lucas (Absolute) take the same approach the man pages > do, in my opinion, which guides you either into an all anonymous system, > or a system suitable for organizations such as software distributors in > which clients/users authenticate but then all access the same directory > (/pub for example). I could use some help conceptualizing this. > > Is the solution ftpchroot?
It works for us, for the users who still need FTP access: # cp /sbin/nologin /sbin/ftp-only # echo "/sbin/ftp-only" >> /etc/shells # adduser homedir == /ftp/username shell == /sbin/ftp-only I then: # cd /ftp/username # rm -r .* # echo "username" >> /etc/ftpchroot Now, you can create staff accounts in the same way, but set their home directory as /ftp. They'll be able to traverse the entire FTP tree from there. Just ensure that the /ftp directory structure is owned by a group that your staff accounts are in, and that all of the sub directories are modded with appropriate permissions. > If so, it’s not clear how I can chroot > each potential client into his own directory, as my understanding is > that all chrooted users wind up at the same place (like /var/ftp/pub). > Or is the solution that each client gets access to his own home > directory; Yes, each to their own home dir. > if so, how do I ensure my staff has access to each client’s > home directory? I'm assuming that your staff will be using FTP as well. Simply assign their home directory to the root FTP directory. > Lastly, I’ve also been reading up on PureFTP, which > seems to have some advanced configuration potential (including LDAP > authentication, something else that interests me) but it’s not clear > that using an alternative product is indicated here. > This seems like something other organizations must have dealt with, so I > must be missing something fundamental. Can someone point me in the > right direction? > > Finally, I’m aware FTP has inherent security liabilities as passwords > cross the net in clear text, but I’m not convinced casual users on > Windows boxes will be able to manage fun stuff like SSH connections or > alternative software, like SCP. Provide them a link to a client software that uses SFTP. I use WinSCP (portable), which defaults to SFTP, and provides the server, username and password fields as soon as it is launched. Hope I didn't miss anything ;) Steve
smime.p7s
Description: S/MIME Cryptographic Signature