https://community.hpe.com/t5/operating-system-hp-ux/restricted-ftp/m-p/3540848#M223203 I am trying to setup restricted ftp on my server. I am running into the problem that the chroot isn't being done. I have the passwd file modified to have /home/wss/./ as the home directory but when I ftp in as this user and do a pwd I see the full path and I can go down a level using cd. Is there something else that needs to be setup for this to work? Mon, 09 May 2005 18:25:56 GMT Angela Swyers_1 2005-05-09T18:25:56Z https://community.hpe.com/t5/operating-system-hp-ux/restricted-ftp/m-p/3540848#M223203 I am trying to setup restricted ftp on my server. I am running into the problem that the chroot isn't being done. I have the passwd file modified to have /home/wss/./ as the home directory but when I ftp in as this user and do a pwd I see the full path and I can go down a level using cd. Is there something else that needs to be setup for this to work? Mon, 09 May 2005 18:25:56 GMT https://community.hpe.com/t5/operating-system-hp-ux/restricted-ftp/m-p/3540848#M223203 Angela Swyers_1 2005-05-09T18:25:56Z https://community.hpe.com/t5/operating-system-hp-ux/restricted-ftp/m-p/3540849#M223204 hi,<BR /><BR />go through these steps to see what is missing:<BR /><BR />1. Configure the ftpaccess file:<BR /><BR /> a. cd /etc/ftpd<BR /><BR /> b. cp -p /usr/newconfig/etc/ftpd/ftpaccess<BR /><BR /> c. vi ftpaccess. At the bottom of the file there is a guestgroup<BR /> directive 'guestgroup ftponly'.<BR /><BR /> i. Either change that group designation to one you already<BR /> have or keep that designation.<BR /><BR /> ii. If you are keeping the ftponly group, then create that<BR /> group on your system.<BR /><BR /><BR />2. Modify the /etc/inetd.conf file to enable the use of the ftpaccess<BR /> file:<BR /><BR /> a. vi /etc/inetd.conf<BR /><BR /> b. Add the -a flag to the ftp daemon.<BR /><BR /> c. ftp stream tcp nowait root /usr/lbin/ftpd ftpd -a -l<BR /><BR />4. Make inetd re-read its configuration:<BR /><BR /> inetd -c<BR /><BR />5. Create a bogus shell for users that will only have FTP access to<BR /> the system:<BR /><BR /> a. vi /usr/bin/ftpshell<BR /><BR /> b. exit 0<BR /><BR /> c. chmod 555 /usr/bin/ftpshell<BR /><BR /> d. chown bin:bin /usr/bin/ftpshell<BR /><BR />6. Create an /etc/shells file:<BR /><BR /> a. vi /etc/shells<BR /><BR /> b. Include these lines in the file:<BR /><BR /> /sbin/sh<BR /> /usr/bin/ksh<BR /> /usr/bin/sh<BR /> /usr/bin/csh<BR /> /usr/bin/rsh<BR /> /usr/bin/rksh<BR /> /usr/bin/keysh<BR /> /bin/sh<BR /> /bin/ksh<BR /> /bin/csh<BR /> /bin/rsh<BR /> /bin/rksh<BR /> /usr/bin/ftpshell<BR /><BR />7. Now add a user to the system. Use a group that is 'ftponly' and<BR /> make the user's shell /usr/bin/ftpshell.<BR /><BR />8. Use SAM to limit the user to his home directory by setting up the<BR /> directory in this form:<BR /><BR /> /home/username/./<BR /><BR /> Note: The /./ is the important key here. When the ftpd verifies a<BR /> user's login, it checks and sees that the user is a member of<BR /> the 'guestgroup' ftponly. It then examines the home directory<BR /> and, if it sees a /./ in the path, it will then perform a chroot<BR /> to that directory. Therefore, when that user FTPs into the<BR /> system, their home directory will appear as the / directory.<BR /><BR />9. Provide the user with an ls command:<BR /><BR /> a. cd /home/username<BR /><BR /> b. mkdir usr<BR /><BR /> c. mkdir usr/bin<BR /><BR /> d. cp -p /sbin/ls usr/bin<BR /><BR /> e. chown -R bin:bin usr<BR /><BR /> f. chmod -R 555 usr<BR /><BR /><BR />hope it helps.<BR /><BR />regards. Mon, 09 May 2005 18:33:29 GMT https://community.hpe.com/t5/operating-system-hp-ux/restricted-ftp/m-p/3540849#M223204 Joseph Loo 2005-05-09T18:33:29Z