Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-Authentication-Warning: slinky.cs.nyu.edu: pechtcha owned process doing -bs
Date: Wed, 23 Jul 2003 22:12:45 -0400 (EDT)
From: Igor Pechtchanski <pechtcha AT cs DOT nyu DOT edu>
Reply-To: cygwin AT cygwin DOT com
To: Tommie Porter <tommie AT mcihispeed DOT net>
cc: cygwin AT cygwin DOT com
Subject: Re: SFTP only account
In-Reply-To: <PIEAJDKPMCCDFENHCAHLCEJLCAAA.tommie@mcihispeed.net>
Message-ID: <Pine.GSO.4.44.0307232202470.26427-100000@slinky.cs.nyu.edu>
Importance: Normal
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Wed, 23 Jul 2003, Tommie Porter wrote:

> Sorry if this issue has been addressed before, but I can't find any
> instances of it in the archives.
>
> First off, I want to know if it's possible to have an SFTP only account.
> I know it's possible(FTP only) on OpenBSD. If you set their shell to
> /bin/false, they can't log in remotely, but can still FTP in. This isn't
> working for me using SFTP in CYGWIN. If I set their shell to /bin/false,
> I get what I want when they try to SSH in, which is access denied, but
> they can't SFTP in either. So I was wondering if there is a way around
> this, or if there isn't because SFTP is running as a sub-system of SSH.
> Either way, I was hoping somebody has an answer.
>
> Also, when this user SFTP's in, I have it set so that the SFTP user's
> home is my FTP directory. Is there a way to prevent them from getting
> out of this directory(i.e. cd .. or cd /cygwin/c/winnt)?
>
> Regards,
> TP

I believe this has appeared on this list before (except it was for
cvs-only accounts), but I can't seem to find it now, so I'll repeat the
solution here:

Instead of setting the shell to /bin/false, set it to a script that checks
the parameters (e.g., which program is invoked), and quits with a non-zero
return code if the program is not "sftp", for example.  That same script
can also do "chroot"  to your FTP directory, so the user can't get out of
it.  Be sure to set all the relevant shell variables in the script (e.g.,
PATH, IFS, etc).
	Igor
P.S. Well, after I went to the trouble of typing the above, I did find the
original thread: <http://cygwin.com/ml/cygwin/2003-04/msg00317.html>,
included here for completeness' sake.
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha AT cs DOT nyu DOT edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor AT watson DOT ibm DOT com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster."  -- Patrick Naughton


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/