topic Re: simple FTP and root-jailing in Operating System - HP-UX

simple FTP and root-jailing

Charly Preis — Mon, 17 Jul 2006 09:01:55 GMT

Shalom alltogether,
we're working on a rx4640 machine under 11.23 and have the following needs:
We have one ftp-user who should only get an ftp-access (no os-access like other users).

We created this using .

This user should be able to read/write any file below this directory (also put/get them) - but he shouldn't be able to navigate above the home-directory.

We've already read some instructions in the book 'Installing and configuring internet services' - espacially the chapter over 'anonymous ftp access' - but our user is still able to navigate above his home-dir.

Hopefully awaiting your answers
Thanx
Charly

Re: simple FTP and root-jailing

Ivan Ferreira — Mon, 17 Jul 2006 09:27:11 GMT

Can you describe the process that you did?

Some tips:

1- Ensure that the user have a invalid shell, like /bin/false. This will prevent to the user logon locally.

2- The ftpaccess file should look like this:

class all real,guest,anonymous *

limit all 60 Any /etc/msgs/msg.dead

readme README* login
readme README* cwd=*

message /welcome.msg login
message .message cwd=*

compress no all
tar no all

delete no anonymous,guest # delete permission?
overwrite no anonymous,guest # overwrite permission?
rename no anonymous,guest # rename permission?
chmod no anonymous,guest # chmod permission?
umask no anonymous,guest # umask permission?

log commands real
log transfers anonymous,real inbound,outbound

shutdown /etc/shutmsg

email root@clu-oas.sis.personal.net.py

# CHROOT Users
guestuser username1 username2

3- Ensure that the home for these users in the passwd ends with /./

username1:*:211:214:CHROOT User:/path/to/home/./:/bin/false

Re: simple FTP and root-jailing

Charly Preis — Mon, 17 Jul 2006 09:38:30 GMT

Hello Ivan,
thank you - your answer has brought the solution. We've missed two things - the trailing slash at the home-dir and stupidly the /bin/false-shell.

Mui bien
Greetings to Paraguay
Charly

Re: simple FTP and root-jailing

Charly Preis — Mon, 17 Jul 2006 09:40:31 GMT

See the above solution from Ivan.

Re: simple FTP and root-jailing

SGUX — Tue, 18 Jul 2006 02:43:33 GMT

with HP-UX Secure Shell (T1471AA) a script named ssh_chroot_setup.sh (in /opt/ssh)is shipped which will do the job for you if you would like to use sftp.
I'm still working on it to get it working properly together with using LDAP but without LDAP it is working fine !

See also the following doc:
http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000082447780