Книга: Fedora™ Unleashed, 2008 edition

Configure Access Control

Configure Access Control

Controlling which users can access the FTP server and how they can do so are critical parts of system security. Use the following entries in the ftpaccess file to specify to which group the user accessing the server is assigned.

This command imposes increased security on the anonymous user:

autogroup <groupname> <class> [<class>]

If the anonymous user is a member of a group, he is allowed access to only files and directories owned by him or his group. The group must be a valid group from /etc/groups or /var/ftp/etc/groups.

This command defines a class of users by the address to which the user is connected:

class <class> <typelist> <addrglob> [<addrglob>]

There might be multiple members for a class of users, and multiple classes might apply to individual members. When multiple classes apply to one user, the first class that applies is used.

The typelist field is a comma-separated list of the keywords anonymous, guest, and real. anonymous applies to the anonymous user, and guest applies to the guest access account, as specified in the guestgroup directive. real defines those users who have a valid entry in the /etc/passwd file.

The addrglob field is a regular expression that specifies addresses to which the class is to be applied. The (*) entry specifies all hosts.

Sometimes it is necessary to block entire hosts from accessing the server. This can be useful to protect the system from individual hosts or entire blocks of IP addresses, or to force the use of other servers. Use this command to do so:

deny <addrglob> <message_file>
deny always denies access to hosts that match a given address.

addrglob is a regular expression field that contains a list of addresses, either numeric or DNS names. This field can also be a file reference that contains a listing of addresses. If an address is a file reference, it must be an absolute file reference; that is, starting with a /. To ensure that IP addresses can be mapped to a valid domain name, use the !nameserver parameter.

A sample deny line resembles the following:

deny *.exodous.net /home/ftp/.message_exodous_deny

This entry denies access to the FTP server from all users who are coming from the exodous.net domain, and displays the message contained in the .message_exoduous_deny file in the /home/ftp directory.

The guestgroup line assigns a given group name or group names to behave exactly like the anonymous user. Here is the command:

guestgroup <groupname> [<groupname>]

This command confines the users to a specific directory structure in the same way anonymous users are confined to /var/ftp. This command also limits these users to access files for which their assigned group has permissions.

The groupname parameter can be the name of a group or that group's corresponding group ID (GID). If you use a GID as the groupname parameter, put a percentage symbol (%) in front of it. You can use this command to assign permissions to a range of group IDs, as in this example:

guestgroup %500-550

This entry restricts all users with the group IDs 500-550 to being treated as a guest group, rather than individual users. For guestgroup to work, you must set up the users' home directories with the correct permissions, exactly like the anonymous FTP user.

The guestuser line works exactly like the guestgroup command you just read about, except it specifies a user ID (UID) instead of a group ID. Here's the command:

guestuser <username> [<username>]

This command limits the guest user to files for which the user has privileges. Generally, a user has more privileges than a group, so this type of assignment can be less restrictive than the guestgroup line.

The limit command restricts the number of users in a class during given times. Here is the command, which contains fields for specifying a class, a number of users, a time range, and the name of a text file that contains an appropriate message:

limit <class> <n> <times> <message_file>

If the specified number of users from the listed class is exceeded during the given time period, the user sees the contents of the file given in the message_file parameter.

The times parameter is somewhat terse. Its format is a comma-delimited string in the form of days, hours. Valid day strings are Su, Mo, Tu, We, Th, Fr, Sa, and Any. The hours string is formatted in a 24-hour format. An example is as follows:

limit anonymous 10 MoTuWeThFr,Sa0000-2300 /home/ftp/.message_limit_anon_class

This line limits the anonymous class to 10 concurrent connections on Monday through Friday, and on Saturday from midnight to 11:00 p.m. For example, if the number of concurrent connections is exceeded at 11:00 p.m. on Saturday, the users will see the contents of the file /home/ftp/.message_limit_anon_class.

Syntax for finer control over limiting user connections can be found in the ftpaccess man page.

This line allows control over how many times a user can enter an invalid password before the FTP server terminates the session:

loginfails <number>

The default for loginfails is set to 5. This command prevents users without valid passwords from experimenting until they get it right.

Оглавление книги