topic Re: Restrict ftp user to use basic commands only like ls , cd in Operating System - HP-UX

Restrict ftp user to use basic commands only like ls , cd

saket bansal_1 — Fri, 30 Jan 2009 09:24:34 GMT

Hi All,
I have created a ftp user under ftponly group.
I have done the following:

1.Made an entry in /etc/ftpd/ftpacess file :
guestgroup ftponly
2.In /etc/passwd , user exists as:
cdot_hp:KinfCt2uf5Klc:122:104::/bplmisc/tap_files/chd/Tapin_Mach/HP/./:/usr/bin/ftpshell
3. In /etc/group, group exists as :
ftponly::104:
4. i have made ftp entry in /etc/inetd.conf as:
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -a -l
5. I have reconfigured /etc/inetd.cong using inetd -c command.
6.The directory structure
/bplmisc/tap_files/chd/Tapin_Mach/HP/usr/bin has been created and ls command has been pasted to this bin directory.

I want restrict this cdot_hp user to use only a set of commands like cd, put,mput,ls only...
But it is able to use all the commands that a normal ftp user can..
Pl. suggest how to restrict the user....
Also . I am unable to find binaries for ftp commands like mput..

Regards,
Saket Bansal

Re: Restrict ftp user to use basic commands only like ls , cd

Steven Schweda — Fri, 30 Jan 2009 11:14:18 GMT

> I want restrict this cdot_hp user [...]

Why do you care? How much damage can a guest
user do?

> I am unable to find binaries for ftp
> commands like mput..

"ftp" and "ftpd" are (mostly) complete
programs. There are not separate executables
(at either end) for each FTP (client or
server) command. "ls" is an exception on the
server side for this FTP server, for use with
the LIST command ("dir" or "ls" for the user
of this FTP client). It's not used for the
NLST command ("nlist" for the client user).
So far as I know, everything else is built
in.

Re: Restrict ftp user to use basic commands only like ls , cd

saket bansal_1 — Fri, 30 Jan 2009 11:36:40 GMT

Hi Steven,
Actually as per bussiness requirement we need to give ftp access to a third party vendor..so we doesn't want them to put any files on the server...But he shud be able to get them...also we dosn't want him to access the directory structure other than his home(this has been achieved).

So please suggest some way to restrict his activities...

Re: Restrict ftp user to use basic commands only like ls , cd

saket bansal_1 — Fri, 30 Jan 2009 11:39:11 GMT

A correction on above st.

He shud be able to put files on server..but restrict "get".

Rgrds,
Saket Bansal

Re: Restrict ftp user to use basic commands only like ls , cd

Fredrik.eriksson — Fri, 30 Jan 2009 11:48:21 GMT

Then why not just chmod the files? afaik ftpd's usually adhere to filesystem permissions.

remove the write permission on the folder and make sure that all files in the directory is in read only.

I might be wrong, but I seem to remember something like this.

Best regards
Fredrik Eriksson

Re: Restrict ftp user to use basic commands only like ls , cd

Fredrik.eriksson — Fri, 30 Jan 2009 11:50:34 GMT

sorry, didn't read it properly... chmod could still solve the issue, just make sure all the files is chmodded to a permission setting where he is not allowed to touch the files, while you still have write permission in the directory.

no points for this one please :P

Re: Restrict ftp user to use basic commands only like ls , cd

Johnson Punniyalingam — Fri, 30 Jan 2009 11:55:18 GMT

>>,
Actually as per bussiness requirement we need to give ftp access to a third party vendor..so we doesn't want them to put any files on the server...But he shud be able to get them...also we dosn't want him to access the directory structure other than his home(this has been achieved).

So please suggest some way to restrict his activities<<

Hi Saket,

You have created a restricted ftpuser account, so nornal behaviour
1. he cant ' do cd,he will Jailed in the said folder of the of the ftpuser account,
meaningfull he can't to Change Directory,
2. Setup the Folder permision read-only

Hope this helps,

Thx,
Johnson

Re: Restrict ftp user to use basic commands only like ls , cd

bright image — Fri, 30 Jan 2009 11:57:55 GMT

Sounds to me like you want to configure restricted ftp with a chroot environment.

See the following links...

(The first is a good one)

http://newfdawg.com/SHP-FTP-anon.htm

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1264911

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&taskId=115&prodSeriesId=3215373&prodTypeId=18964&objectID=c01516983

Re: Restrict ftp user to use basic commands only like ls , cd

Steven Schweda — Fri, 30 Jan 2009 12:39:08 GMT

> Sounds to me like you want to [...]

Sounds to me as if he already has.

Have you tried using FTP to see files outside
this user's home directory? If you did the
guest-user stuff correctly, this should be
impossible.

> He shud be able to put files on server..but
> restrict "get".

If he already has the files, why would he
wish to get them back again? Or did you plan
to let many users use the same account, but
not see each other's files? (Or what,
exactly, worries you?) There are advantages
to giving each user his own guest account.

I haven't done this in many years, but as I
recall, you can remove "r" (or "x"?)
permission from your upload directory, and
that will stop users from seeing a listing
of the files which are there. But if the
user knows (or can guess) a file's name, he
can still fetch it.

It might be easier/faster to try some thing
(like different directory permissions) than
to ask about them.

Re: Restrict ftp user to use basic commands only like ls , cd

saket bansal_1 — Fri, 30 Jan 2009 18:32:26 GMT