Securing ftp access

Tim O'Connell — Thu, 07 Oct 2004 11:38:33 GMT

I have just set up a restricted ftp user in the following way (after browsing the forum)

created user with /usr/bin/false as shell & home directory /homedir/./.

created /etc/shells & added all possible entries including /usr/bin/false

created /etc/ftpd/ftpaccess with an entry newuser ftponly at the bottom of file

edit /etc/inetd.conf & added -a flag to ftp daemon. run inetd -c

My Question.

User is restricted to ftp which is OK. Cannot telnet or login. When I ftp as this user I can cd / at the ftp prompt which lets me go to the root dir of the server. I expected to be only left go to the ftpuser's home dir which is what I want to do. Have I missed something or have I a problem with chroot?

Hope someone can help,

Tim

I can ftp send from another server as this user &

Re: Securing ftp access

Victor BERRIDGE — Thu, 07 Oct 2004 11:50:54 GMT

Hi Tim,
Thought about using chroot (1M)?
http://www5.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&admit=552267591+1097167757084+28353475&docId=200000063210548

All the best
Victor

Re: Securing ftp access

Sundar_7 — Thu, 07 Oct 2004 12:17:27 GMT

I think you have the wrong entry in /etc/ftpd/ftpaccess file.

# vi /etc/ftpd/ftpaccess
guestgroup
#

If user you created belongs to group ftpgroup then add the following entry to ftpaccess file

guestgroup ftpgroup

Re: Securing ftp access

Mike Patterson — Thu, 07 Oct 2004 19:39:33 GMT

Here are my old notes on this. I believe that this method may be deprecated, but it works. It restricts a real login to just allow the user to ftp (not telnet) to an HP server. The user is then restricted to a specific directory. (This is very similar to setting up anonymous ftp - see the man on ftpd for complete instructions).

1. Create a bogus shell like /usr/bin/ftponly - just put a message in there in case he tries to login on server: Create a group, like "ftpgroup" and put him in it.

Example bogus shell:

#!/bin/sh
/usr/bin/cat << XX
***********************************************************************************************
* ACCESS DENIED: You may use FTP, but you may not login with this account! *
***********************************************************************************************
XX
/usr/bin/sleep 5

2. Edit (or create) /etc/shells that looks like this (make sure that it includes your bogus shell) :

/usr/bin/sh
/sbin/sh
/usr/bin/ksh
/usr/bin/csh
/usr/bin/ftponly

3. For true "restricted" ftp accounts, Edit user in /etc/passwd with vipw:

(These accounts will not have a regular shell, so they cannot telnet.)

Change the home directory entry to put the "root" level that you want this user to be able see on one side of a period (.)
The other side of the period is where he intially lands (relative to the new "root") in when he ftps to the server.

Example:

ftpuser:jo/469sTHoYRQ:105:101:ftp account,,,:/opt/apache/ftpdir/./:/usr/bin/ftponly

Do NOT forget the trailing "/" just before the separating "." between the directories above.

4. For "restricted" ftp accounts, you also need to create or edit /ftpd/ftpaccess
(See ftpaccess manpage for mind-boggling details.)

Example /etc/ftpd/ftpaccess:

class all real,guest *
guestgroup www ftpgroup
upload * * yes * * 0775 dirs

My understanding of the above:

# defines a "class" of all, real, and anything starting with guest*

# defines 2 "guestgroup" "groupnames," called "www" and "ftpgroup" --- if an ftp user is a REAL /etc/passwd account AND the user belongs to one of these groups, then their ftp session is treated just like anonymous ftp. If a user is in one of these groups they cannot cd to anything outside of their home directory, cannot change user, or password, etc.

# allow "upload" access to any directory, ownership group will be those of the ftp user, directories may be created

When you setup a user like this, the user acts just like an anonymous ftp account. So, ftpd does a chroot to the selected directory. However, no files, libraries, etc that are outside this restricted piece of the file system are available anymore to this user. So commands like ls won't work anymore. To just get ls working, you need to create a local usr/bin under the new "root" directory. Change the permissions on these dirs to 555 - owned by root. Then copy /sbin/ls into the new usr/bin and chown to root and chmod 111 on the ls executable.

5. Put ANY (restricted or not) logins that you do NOT want to ftp in /etc/ftpd/ftpusers.

Hint: use the following command to create the file (NO ONE on this list will be able to ftp):

cat /etc/passwd | awk -F: '{print $1}' > /etc/ftpd/ftpusers

Then remove those users that you DO want to ftp from ftpusers.

6, Setup the ftpd entry in inetd.conf like this:

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -a

(note: ftpaccess file must exist!)

(The ftpd -a tells the daemon to access the /etc/ftpd/ftpaccess configuration file.)

7. Restart inetd like this inetd -c (works on hp-ux).

Re: Securing ftp access

Tim O'Connell — Fri, 08 Oct 2004 03:23:37 GMT

Thanks, Sundar

You hit the nail on the head. I had put newgroup ftponly at the bottom of the ftpaccess file rather than guestgroup newgroup.

Thanks for the notes, Mike. I will go thru' them & see what I missed.

Points awarded,

Thanks for all replies

Tim

topic Re: Securing ftp access in Operating System - HP-UX

Securing ftp access

Re: Securing ftp access

Re: Securing ftp access

Re: Securing ftp access

Re: Securing ftp access