https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271895#M178809 Hi,<BR /><BR />A query, if a user has ftp access only (no telnet access) , he can still ftp a .profile file of his own creation to his own directory and then get FULL privileges. That's true is it not ? Any ideas on how to address this security issue.<BR /><BR />Thanks &amp; Rgds<BR /><BR />Pat Mon, 10 May 2004 07:30:17 GMT patrick coutinho 2004-05-10T07:30:17Z https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271895#M178809 Hi,<BR /><BR />A query, if a user has ftp access only (no telnet access) , he can still ftp a .profile file of his own creation to his own directory and then get FULL privileges. That's true is it not ? Any ideas on how to address this security issue.<BR /><BR />Thanks &amp; Rgds<BR /><BR />Pat Mon, 10 May 2004 07:30:17 GMT https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271895#M178809 patrick coutinho 2004-05-10T07:30:17Z https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271896#M178810 hi,<BR /><BR />that is possible only if you allow him to ftp it to his/her home directory as well as more than read permission for the .profile file. <BR /><BR />however, since telnet is not available by causing an exit everytime the user try to telnet, i am unsure how he/she is able to get FULL prvileges.<BR /><BR />regards. Mon, 16 Sep 2024 09:19:59 GMT https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271896#M178810 Joseph Loo 2024-09-16T09:19:59Z https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271897#M178811 Privileges arn't controlled by .profile - no matter what they put in it, they can't change their shell from /etc/passwd....<BR /><BR /><BR />Rgds...Geoff Mon, 10 May 2004 08:03:03 GMT https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271897#M178811 Geoff Wild 2004-05-10T08:03:03Z https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271898#M178812 Even if there were something in the .profile, for example and environment variable or something that controlled access to some software somewhere, they still wouldn't be able to overwrite their own .profile IF you remove write access from it.<BR /> <BR />A user does not need write access to their .profile Mon, 10 May 2004 08:05:14 GMT https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271898#M178812 Mark Grant 2004-05-10T08:05:14Z https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271899#M178813 Depends how you're denying telnet access. If you're doing it correctly and have their shell set to /usr/bin/false, then them overwriting their .profile is irrelevant as Geoff alluded.<BR /><BR />However, the comments about making sure .profile is read only or not owned by the user to disallow overwriting it anyway isn't quite accurate, I think. Wouldn't this be the same as users being able to overwrite their .profile in a telnet session? This is controlled by the home directory permissions, not the .profile permissions, right? Unless you want to block people from uploading files to their home directories on the server entirely by doing that, I don't think you can protect the .profile that way. Mon, 10 May 2004 11:08:05 GMT https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271899#M178813 Jeff_Traigle 2004-05-10T11:08:05Z https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271900#M178814 If a user only needs ftp access, then set their shell to "/usr/bin/false" in /etc/passwd.<BR /> <BR />ftp will still work, but they won't be able to login via telnet.<BR /> <BR />HTH<BR /> <BR />-- Rod Hills Mon, 10 May 2004 11:14:23 GMT https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271900#M178814 Rodney Hills 2004-05-10T11:14:23Z https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271901#M178815 Thanks everyone for those thoughts. Very valuable to me. This forum is really super. <BR /><BR />Rgds<BR /><BR />Pat Tue, 11 May 2004 00:31:23 GMT https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271901#M178815 patrick coutinho 2004-05-11T00:31:23Z https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271902#M178816 If possible in your evnrironment, I would suggest turning off ftp and telnet and implementing scp/ssh :). This way unencrypted passwords are not going accross your network. Just my two cents. Also does not hurt to define the ftpaccess file when using ftp. Tue, 11 May 2004 01:02:10 GMT https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271902#M178816 generic_1 2004-05-11T01:02:10Z https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271903#M178817 Thanks Jeff Tue, 11 May 2004 01:38:32 GMT https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271903#M178817 patrick coutinho 2004-05-11T01:38:32Z https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271904#M178818 hi patrick,<BR /><BR />any reason why jeff gets the points and we get none???<BR /><BR />regards. Tue, 11 May 2004 02:30:40 GMT https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271904#M178818 Joseph Loo 2004-05-11T02:30:40Z https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271905#M178819 I am sorry guys. did not mean to offend anyone. I thought i had already assigned points to everyone before the last reply. My mistake. must be something with browser. My apologies. Points assigned.<BR /><BR />Many thanks once again to everyone. <BR /><BR />Rgds<BR /><BR />Pat Tue, 11 May 2004 02:48:53 GMT https://community.hpe.com/t5/operating-system-hp-ux/ftp-access-only/m-p/3271905#M178819 patrick coutinho 2004-05-11T02:48:53Z