For bandwidth shaping reasons, I wanted to be able to allow access to my FTP disk (mounted at /var/ftp) only via FTP (hosted by ProFTPd). As it turns out, this is quite easy to do using a couple of UNIX permissions tricks and some ProFTPd voodoo. Read on for the basic description of how I’ve done it.
Note: Here we will assume that ProFTPd has been configured for SQL authentication.
Restricting Access Via Shell
The first thing that needs to be done is to restrict permissions on the FTP disk so that shell users aren’t allowed to read it. This requires some simple UNIX permissions knowledge, and I used the following to get the job done.
chown -r gongloo:ftp /var/ftp
find /var/ftp -type f -exec chmod 640 {} \;
find /var/ftp -type d -exec chmod 755 {} \;
That’ll set the permissions for all directories so that they can be opened by anyone but written to only by gongloo, and permissions for all files so that they can only be read by those in the ftp group and, again, can only be written to by gongloo. This means that any users who have FTP access as well as shell access will be able to list, but unable to read, the files on the FTP disk via shell.
Now all that we have to do is make sure that the ftp UNIX group contains only members that should have access to the FTP disk via shell.
Allowing Access Via FTP
The second thing we need to get done is to allow access to the files via FTP for those users who should have it. This is fairly straightforward if we configure ProFTPd to assign GIDs directly from the SQL database that it uses as its authentication backend. We simply create an entry in the SQL table for ProFTPd groups matching the ftp entry in /etc/group. I used something like the following:
INSERT INTO groups (groupname, gid, members) VALUES
('ftp', '21', 'userid1, userid2, userid3, ..., useridn');
And that’s it! Users listed in the ftp group in the SQL database are now able to grab files off of the FTP disk. Huzzah!
0 Response to “Allowing Access to FTP Disk Only Via FTP”