topic Re: Restricted Ftp in Operating System - HP-UX

Restricted Ftp

Roger Baptiste — Fri, 06 Aug 2004 17:02:19 GMT

Hi,

On a Hpux 11.00 server, i need to setup a restricted ftp user account i.e a ftp account which cannot traverse above it's home directory (similar to anonymous ftp account).

Do i need to enable ftpaccess for this purpose? the server is currently running ftpd without -a option in the inetd.conf file and there is no /etc/ftpd/ftpaccess file.

I tried setting up the restricted ftp account through the normal procedure used in 10.20. (i.e create ftp id, change the home directory in this format /home/xx/./ ; create etc, usr/bin structure in the homedir and copy ls , passwd ,group files ). But, whenever i ftp with the login , it allows me to navigate above the home directory.

Is enabling ftpaccess compulsory for using restricted ftp account? Anonymous ftp is working fine without ftpaccess.

TIA
RB

Re: Restricted Ftp

Dave Olker — Fri, 06 Aug 2004 17:25:50 GMT

Hi Roger,

One way you can do this, and much more, is by downloading the WU-FTPD product from HP Software Depot:

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=WUFTPD26

This version runs on both 11.0 and 11i and it allows you to configure ftp access with much more control and granularity than the regular ftp version that ships with HP-UX 11.0.

The release notes for this version come with the product, but are also available on http://docs.hp.com:

http://www.docs.hp.com/hpux/onlinedocs/5990-8588/5990-8588.html

The document covers the feature you're looking for - restricting users to specific directories.

Hope this helps,

Dave

Re: Restricted Ftp

Sundar_7 — Fri, 06 Aug 2004 18:12:43 GMT

Hi RB,

Yes I do beleive you need to create ftpaccess file to chroot a ftp user.

# cp /usr/newconfig/etc/ftpd/ftpaccess /etc/ftpd/

# vi /etc/inetd.conf
add -a and -l option to ftpd

# inetd -c

Create the user

# vi /etc/ftpd/ftpaccess
guestgroup

Re: Restricted Ftp

Muthukumar_5 — Sat, 07 Aug 2004 00:58:03 GMT

To make your anonymouse ftp as a restricted one in directory and usage then change configuration of ftpd on inetd first as,

--- /etc/inetd.conf --

ftpd -a -l -r

-a will read informations from /etc/ftpd/ftpaccess file. You can get it over /usr/newconfig/etc/ftpd/examples/ftpaccess file

-l logging into syslog

-r it will make changing root directory to the specified one after login into ftp

If you don't want to configure ftpaccess file you can control it using -r option of ftpd as,

-r rootdir Instructs the daemon to chroot (see chroot(2)) to
the specified rootdir immediately upon loading.
This can improve system security by limiting the
files which may be damaged should a break-in occur
through the daemon. This option is like anonymous
FTP. For this option to work properly additional
files may be needed under the specified rootdir,
which can vary from system to system.

-muthu.

Re: Restricted Ftp

Roger Baptiste — Mon, 09 Aug 2004 09:29:22 GMT

Thanks for the responders. So, can i conclude from the responses that, for using restricted ftp account(with chroot), "ftpaccess" is indeed required to be configured and enabled(thru inetd.conf -a option). This is on a 11.00 server which is currently running as ftpd -l (not enabled ftpaccess).