topic Re: FTP Services & Restriction in Operating System - HP-UX

FTP Services & Restriction

Amit Dixit_2 — Wed, 18 Aug 2004 11:09:26 GMT

Hi,
I have configured a user account on my server
running HP-UX 11.23

I want to use this account as ftp account
and the users who login to this account
cannot telnet and if they login through ftp
cannot change directory.

Thanks,
Amit

Re: FTP Services & Restriction

Rick Garland — Wed, 18 Aug 2004 11:20:33 GMT

Sounds like you want something that functions as "chroot" Using this utility you can setup a "jail" so the ftp user cannot go directories above - in fact, to the ftp user this would look like the / directory, so there is no where to go but down. (The ftp user can descend into directories that have been created.)

To prevent the telnet, change the shell type in the passwd file.

Look up chroot. Sounds like what you want.

Re: FTP Services & Restriction

Sundar_7 — Wed, 18 Aug 2004 11:21:30 GMT

1) vi /etc/inetd.conf
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -a
#

add -a option to the ftpd

# inetd -c

Force inetd to reread the configuration

2) groupadd -g ftpgroup

Add a group called ftpgroup

3) useradd -g ftpgroup -m -s /usr/bin/false ftpuser

Create a user called ftpuser with /usr/bin/false as the shell

# passwd ftpuser

4) vi /etc/shells
/usr/bin/false

add the shell to /etc/shells

5) # vi /etc/ftpd/ftpaccess
guestgroup ftpgroup
#

Edit ftpaccess and define the guestgroup as ftp

6) # cd ~ftpuser
# mkdir -p etc usr/bin
# cp -p /etc/group etc/
# cp -p /etc/passwd etc/
# cp /sbin/ls usr/bin

Try telnet and ftp now as ftpuser.

Re: FTP Services & Restriction

Rgomes — Wed, 18 Aug 2004 11:23:37 GMT

Solution:

Use this procedure to configure the new ftpd:

Note: A user will not have the ability to travel anywhere outside
of his home directory on the system. Setting up a bogus
shell with exit 0 as the contents will cause the connection
of a user to be immediately terminated if the user attempts
to telnet into the system.

1. Configure the ftpaccess file:

a. cd /etc/ftpd
b. cp -p /usr/newconfig/etc/ftpd/ftpaccess .
c. vi ftpaccess. At the bottom of the file there is a guestgroup
directive 'guestgroup ftponly'.
i. Either change that group designation to one you already
have or keep that designation.
ii. If you are keeping the ftponly group, then create that
group on your system.

2. Modify the /etc/inetd.conf file to enable the use of the ftpaccess
file:

a. vi /etc/inetd.conf
b. Add the -a flag to the ftp daemon.
c. ftp stream tcp nowait root /usr/lbin/ftpd ftpd -a -l

4. Make inetd re-read its configuration:

inetd -c

5. Create a bogus shell for users that will only have FTP access to
the system:

a. vi /usr/bin/ftpshell
b. exit 0
c. chmod 555 /usr/bin/ftpshell
d. chown bin:bin /usr/bin/ftpshell

6. Create an /etc/shells file:

a. vi /etc/shells
b. Include these lines in the file:
/sbin/sh
/usr/bin/ksh
/usr/bin/sh
/usr/bin/csh
/usr/bin/rsh
/usr/bin/rksh
/usr/bin/keysh
/bin/sh
/bin/ksh
/bin/csh
/bin/rsh
/bin/rksh
/usr/bin/ftpshell

7. Now add a user to the system. Use a group that is 'ftponly' and
make the user's shell /usr/bin/ftpshell.
8. Use SAM to limit the user to his home directory by setting up the
directory in this form:
/home/username/./

Note: The /./ is the important key here. When the ftpd verifies a
user's login, it checks and sees that the user is a member of
the 'guestgroup' ftponly. It then examines the home directory
and, if it sees a /./ in the path, it will then perform a chroot
to that directory. Therefore, when that user FTPs into the
system, their home directory will appear as the / directory.

9. Provide the user with an ls command:

a. cd /home/username
b. mkdir usr
c. mkdir usr/bin
d. cp -p /sbin/ls usr/bin
e. chown -R bin:bin usr
f. chmod -R 555 usr

ref: Document id# BC0814KBRC00007719

regards,
Richard

Re: FTP Services & Restriction

Sundar_7 — Wed, 18 Aug 2004 11:25:30 GMT

Once you create the directories etc usr/bin under the user's home directory, you also need to change the permissions such that the user is able to navigate/have read-only access to passwd,group and ls files.

Re: FTP Services & Restriction

Jeff_Traigle — Wed, 18 Aug 2004 11:28:29 GMT

From your description of having multiple users login to a single ftp-only account, it actually sounds like the built-in anonymous ftp facility in ftpd would suffice. Make the user account name ftp... if they should be able to write files to the server set the write bit on the home directory defined (not generally a good idea, but kept to a non-critical file system can work... only serious problem then is users potentially overwriting/deleting each other's files). You can keep the account disabled/locked to disallow telnet access. Users login the ftp session as user ftp or anonymous and they are unable to cd anywhere else on the system. Check out the ftpd man page for setting it up.

Re: FTP Services & Restriction

Jeff_Traigle — Wed, 18 Aug 2004 11:31:22 GMT

And I should mention... the anonymous ftp route doesn't provide an audit trail of who was connecting to the system... of course, if you have one accoutn with all of the fancy configurations the others have mentioned that multiple people share, you're not getting any useful authentication information anyway. Just something to consider in your implementation whichever way you go.

Re: FTP Services & Restriction

Amit Dixit_2 — Thu, 19 Aug 2004 00:36:30 GMT

Hi Sundar,
I have configured ftp using your method
and now I am not able to connect
to server using ftp.

None of the account is working ??

what should I do ?

Thanks,
Amit

Re: FTP Services & Restriction

Ermin Borovac — Thu, 19 Aug 2004 02:10:32 GMT

Do you have the following line in /etc/ftpd/ftpaccess?

class remote real,guest,anonymous *

Without a valid class all access to ftp server will be denied.

real -> for users having real accounts
guest -> for guest users defined with guestgroup
anonymous -> for anonymous access

Re: FTP Services & Restriction

Rgomes — Thu, 19 Aug 2004 04:27:44 GMT

Also check /var/adm/inetd.sec file.
Permit ftp by IP addresses.

It should look like this:
------
ftp permit 192.168.3.2 192.168.3.110
------
regards,
Richard