topic Re: anonymous ftp in Operating System - HP-UX

anonymous ftp

Mike_21 — Mon, 26 Nov 2001 16:53:38 GMT

We have anonymous ftp running. Is there a way to eliminate anonymous users from accessing a specific directory? I would like regular users with UNIX id/pass to still be able to ftp to this directory.

Thanks

Re: anonymous ftp

eran maor — Mon, 26 Nov 2001 17:04:25 GMT

Hi Mike

it you want to disable the user just delete it
from the /etc/passwd in you dont want any
anonymous ftp user will login to your system .

other user that have a valid user on the system can do a login with the ftp with no problem .

if you want that the anonymous ftp will be enable but he will not have access to a dir it
is just a primmsion issue of the dir that you dont want him to log .

user anonymous most of the time are group to the group other and if other doent have access
to the dir he will not able to log in the system

i m also giving a white peper how to config the anonymous user in a system

Re: anonymous ftp

Roger Baptiste — Mon, 26 Nov 2001 17:05:02 GMT

Hi,

The following document has details on restricting users to a directory:
http://us-support.external.hp.com/cki/bin/doc.pl/sid=5e97849c1c7733dce2/screen=ckiDisplayDocument?docId=200000057370859

hth
raj

Re: anonymous ftp

Joseph C. Denman — Mon, 26 Nov 2001 17:06:02 GMT

One easy way that comes to mind is to create another group?

such as guest2

Assign valid users that that group.

mkdir /home/ftp/pub/newdir
chown root:guest2 /home/ftp/pub/newdir
chmod 770 /home/ftp/pub/newdir

anonymous users will not be able to access the newdir but your valid users will.

There may be an easier way, but this would be fairly simple.

...jcd...

Re: anonymous ftp

Christopher Caldwell — Mon, 26 Nov 2001 17:08:39 GMT

Most folks point anonymous ftp at a directory with limited security implications. The server gets there via chroot. Here's how to configure anonymous access (from man ftpd):

4)
If the user name is ``anonymous'' or ``ftp'', an anonymous ftp account must be present in the password file (user ``ftp''). In this case the user is allowed to log in by specifying any password (by convention this is given as the client host's name).
In the last case, ftpd takes special measures to restrict the client's access privileges. The server performs a chroot(2) command to the home directory of the ``ftp'' user. In order that system security is not breached, it is recommended that the ``ftp'' subtree be constructed with care; the following rules are recommended.

~ftp)
Make the home directory owned by super-user and unwritable by anyone.
~ftp/bin)
Make this directory owned by the super-user and unwritable by anyone. The program ls(1) must be present to support the list command. This program should have mode 111.
~ftp/etc)
Make this directory owned by the super-user and unwritable by anyone. The files passwd(5) and group(5) must be present for the ls command to be able to produce owner names rather than numbers. Depending on the operating system, there may be other required files. Check your manual page for the getpwent(3) library routine. The password field in passwd is not used, and should not contain real encrypted passwords. These files should be mode 444 and owned by the super-user. Don't use the system's /etc/passwd file as the password file or the system's /etc/group file as the group file in the ~ftp/etc directory.
~ftp/pub)
Create a subdirectory in ~ftp/pub with the appropriate mode (777 or 733) if you want to allow normal users to upload files.

Re: anonymous ftp

Anthony deRito — Mon, 26 Nov 2001 18:25:20 GMT

I would highly recommend looking at wu-ftpd as a replacement for ftpd. Its free, more secure, and will do exactly as you require. I replaced my ftpd with wu-ftpd a few months ago and am pleased. It uses chroot to control access.

http://www.wu-ftpd.org

Tony

Re: anonymous ftp

Mike_21 — Mon, 26 Nov 2001 19:07:46 GMT

And one other point, running 10.20 and NIS. SO I am not sure if I assign a nis user to a local user group, and assign this group to the directory, that this will restrict access only to those users...