topic Re: ftpd in Operating System - HP-UX

ftpd

Shannon Petry — Thu, 10 Aug 2000 16:33:50 GMT

I have this thread also in security, but maybe it does not fit in that category so I'll try here.

PROBLEM: I have a user, who has an FTP ONLY ID. It is setup where the user MUST type a password, and does not have the ability to telnet, shell, etc because of his shell being /usr/bin/true. (No lectures about it not being /usr/bin/false please).

This user likes to wander the system, and copy anything they can get. It is a problem, but for political reasons, I have to keep their FTP ID.

How can I keep this #$%^&* from changing out of their home directory, and still be able to ftp into the box.

NOTE: Restricted shell will give them the ability to telnet, and more access than I want them to have. So what can I do??????

Thanks in advance!
Shannon Petry

Re: ftpd

Brian M. Fisher — Thu, 10 Aug 2000 16:44:45 GMT

The best option I have found is Washington University's FTP daemon wu-ftpd. This can be found for 10.20 at: http://hpux.cae.wisc.edu/
or install patch PHNE_20714 for 11.0
It provides comprehensive logging and message facilities, together with improved access and activity control mechanisms.

Brian
<*(((>< er

Re: ftpd

Shannon Petry — Thu, 10 Aug 2000 17:00:31 GMT

This is wu-ftp. Installed and configured and running just fine :) It does have excellent logging and tracking facilities, and enhanced control for anonymous and real users. But it still does not do what I need it to do.

Is what I would like possible?

Or is running httpd for ftpd and cgi'ng the users my only hope?

Re: ftpd

Rita C Workman — Thu, 10 Aug 2000 17:19:38 GMT

Very simple....do a basic chroot by doing an edit to the /etc/passwd and add a period and / to the end of his home directory....this basically changes his home directory to root.

vipw

on this persons' line change it so it says:
user:uid:gid....../home/nogoodbumb/./usr/bin/ksh

It's quick...it's easy......but a thought.
If you only have ftp rights here..you may need to add a directory /usr under his home directory and then copy into this directory /usr/sbin/pwd and /sbin/ls. Grant ownership to these to 'him'. That way this wonderful employee will have the ability to enter the command ls & pwd....which aside from get and put; I gather is all you want this little ray of sunshine to have....
Hope it helps,

Re: ftpd

Brian M. Fisher — Thu, 10 Aug 2000 17:51:12 GMT

Sorry about my initial answer, I did not see that you were already running wu-ftp. Have you looked at the wu-ftp web site? I found a ducument: Guest HOWTO
Describes the basics of setting up your FTP server for guest accounts. That is, to allow real Unix users to log in, but jail them in a chroot'd area.
http://www.wu-ftpd.org/HOWTO/guest.HOWTO

Brian
<*(((>< er

Re: ftpd

Shannon Petry — Thu, 10 Aug 2000 18:32:45 GMT

Kick but! The guest I thought was kind the same as anonymous. My bad!

Thanks, cuz that will jail em :)

I tested adding the / to the end of the home directory, as well as /. and /./ but none work to keep the user from cd'ing anywhere.
Maybe I did it wrong, but I have:
butthead:yuck:131313:666:dumb,stinky,,:/home/butthead/:/usr/bin/true

The guest should do it!
Thanks a bunch!