Get one of the fancy in.ftpds that let you maintain 'several' accounts
in the anonymous way (e.g. they treat a list of users in the same way
that anonymous accounts are treated, chroot to the 'home directory', no
changing to other users, etc.)
Set up an 'account' for each user. Put them all in different
directories. Make all the home directories owner write+search mode
300. Modify in.ftpd to create the files with a mask of 0400, and
disallow "DELE' and 'rename'. You *probably* don't need bin/ls, and
thus dev/zero (suns), etc/passw, or etc/group. I've not tried this, so
your milage may vary. (If you chroot before execing in.ftpd (which
you don't need to do), you will need dev/zero on a Sun, unless in.ftpd
is staticly linked.)
Now the remote users can't over-write the files, can't delete them,
can't search the directory, and can't see other users' files.
You're talking about writing too much code, and using overly-complex
programs. A vanilla ftpd will do, possibly aided and abetted by the
Run chroot from inetd.conf. Run a shell script from it that sets umask
to 077 and then execs ftpd.
Now -- in the chroot area, you have an /etc/passwd file that has one
account per user, with password. They'll each have a home directory,
mode 700 and owned by the user. Root never appears in that passwd
file, btw. Everyone will log in as themselves, and get only those
permissions. Nothing else should be readable/searchable by anyone
other than root, including the shell and passwd file in the chroot
area. Folks aren't quite isolated by chroot -- but it shouldn't
matter; the other protections should be quite strong. I trust Unix's
user/group/other mechanism a lot more than I trust fancy ftpd's.
You can eliminate that shell script by writing the program in C. It's
about 10 lines long...
If this idea doesn't strike you as secure enough, you can use the TCP
wrapper. If you know the set of possible source addresses for each
user, configure the wrapper to execute a chroot command to a per-user
area, set up as above, but with just one entry per passwd file. If
someone spoofs an IP address, they'll still need to authenticate via a
password. If a password is captured, the attacker still needs to spoof
an IP address. And everyone is protected from everyone else by chroot.