topic Re: another ftp question in Operating System - HP-UX

another ftp question

Ron Irving — Tue, 09 Jun 2009 16:01:16 GMT

Ok...I'm going to re-ask this differently. Currently our /etc/passwd file contains the line for ftpuser:

ftpuser:o7dtD1r0FnNaM:113:113:,,,:/trans/./:/usr/bin/rsh

ftpuser logs in, and gets dropped in the /trans directory - no way up (good), no way down (bad)

We wish the ftpuser to have access to the subdirectories of /trans, but nothing above it, (/etc, /usr, etc.)

Any ideas?

Re: another ftp question

Michal Kapalka (mikap) — Tue, 09 Jun 2009 16:08:03 GMT

hi,

use vsftpd instead od default ftp server in HP-UX.

mikap

Re: another ftp question

Rick Garland — Tue, 09 Jun 2009 16:29:16 GMT

There is DocId: KBRC00008355 that details setting up a restricted FTP server on HPUX. This is somewhat old and you may want to look for a newer doc.

In the above doc it has the FTP user set with a shell of /usr/bin/false.

My choice now is vsftpd.

Re: another ftp question

Mel Burslan — Tue, 09 Jun 2009 16:29:32 GMT

what is the ownership of /trans and what are the permissions ? i.e., output of :

ll -d /trans

Re: another ftp question

Ron Irving — Tue, 09 Jun 2009 16:38:04 GMT

drwxrwxrwx 71 root ftpuser 16384 Jun 9 12:22 /trans/

so, that shoudn't be an issue, should it?

Re: another ftp question

Michal Kapalka (mikap) — Tue, 09 Jun 2009 16:43:02 GMT

hi,

i think this a transport directory from SAP,

you should add the group for the ftp user,

that belongs to the SAP user, under which is the SAP running.

because the SAP creating some transaction, under this user.

mikap

Re: another ftp question

Ron Irving — Tue, 09 Jun 2009 16:44:12 GMT

No SAP running on this server. Intersystems Cache. Run for the hills.

Re: another ftp question

Steven Schweda — Tue, 09 Jun 2009 17:16:03 GMT

> Ok...I'm going to re-ask this differently.

Different is not always better.

> Currently our /etc/passwd file [...]

Is that all the configuration you've done?
What about ftpaccess?

> [...] no way down (bad)

What, exactly, does this mean? What,
exactly, fails? /usr/bin/rsh does restrict
"cd" operation. "man sh-bourne":

[...] The cd command cannot be
executed by rsh.

Perhaps /usr/bin/rsh was not the ideal choice
here.

Did you read up on guest accounts?

Re: another ftp question

Ron Irving — Tue, 09 Jun 2009 17:22:01 GMT

No way down means I cannot get to the subdirectories of /trans. Currently, our business users that use this directory use an ftp client, (Cute FTP.) Using that, when they login, they are at the /trans directory, but they can go anywhere on the system, up to root, or /etc, or /usr, and down to the subdirectory level of /trans. We need to put a stop to regular users accessing the / directory. That's a disaster waiting to happen.

Re: another ftp question

Michal Kapalka (mikap) — Tue, 09 Jun 2009 17:26:05 GMT

hi,

disable using default hp-ux ftp server and install the vsftp, there is a lot options how to configure it, there is option that the user can stay only in his home directory ....

mikap

Re: another ftp question

Mel Burslan — Tue, 09 Jun 2009 17:28:33 GMT

Ron,

This, i.e., setting up chroot'ed environments, is not my forte, but when you set up an account and jail it to a certain directory, anything that is not internal to the shell, will be non-existent to the user. Also the restricted shell might come into play and not allow the user to perform certain functions. I am not sure how well a chroot'ed account plays with a restricted shell if they play at all. You might have to create a bin directory under this jailed directory and place the command executables by copying them from the default OS location into this bin directory for the ftponly user to use. Again, most of what I am telling you here is common sense. I have not set up a chrooted account for a long time myself.

Hope this helps a little.

Re: another ftp question

Ron Irving — Tue, 09 Jun 2009 17:31:21 GMT

I will put this on the back burner until tomorrow...my eyes hurt ;)

I have downloaded vsftpd, and will put into the development system tomorrow...hopefully no one will mass at my door with torches and pitchforks.

Stay tuned.

Re: another ftp question

Steven Schweda — Tue, 09 Jun 2009 19:53:48 GMT

> I have downloaded vsftpd [...]

You may be working harder than you need to.

> [...] We need to put a stop to regular
> users accessing the / directory. [...]

That's what a guest account is intended to
do. Reading the documentation can be very
enlightening. Honest.

alp $ ftp dy
220 dy.antinode.info FTP server (Version 1.1.214.4(PHNE_36129) Mon Apr 23 13:44:14 GMT 2007) ready.
Connected to dy.antinode.info.
Name (dy.antinode.info:sms): ftpg01
331 Password required for ftpg01.
Password:
230 User ftpg01 logged in. Access restrictions apply.
FTP> pwd
257 "/" is current directory.
FTP> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /usr/bin/ls.
total 0
drwxr-xr-x 3 2 2 96 Jun 9 15:24 usr

226 Transfer complete.
72 bytes received in 00:00:00.00 seconds (70.31 Kbytes/s)
FTP> put hpux.txt
200 PORT command successful.
150 Opening ASCII mode data connection for hpux.txt.
226 Transfer complete.
local: ALP$DKA0:[SMS.HPUX]HPUX.TXT;9 remote: hpux.txt
3443 bytes sent in 00:00:00.00 seconds (3362.30 Kbytes/s)
FTP> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /usr/bin/ls.
total 16
-rw-r----- 1 501 501 3305 Jun 9 15:45 hpux.txt
drwxr-xr-x 3 2 2 96 Jun 9 15:24 usr

226 Transfer complete.
141 bytes received in 00:00:00.00 seconds (137.70 Kbytes/s)
FTP> mkdir new_dir
257 MKD command successful.
FTP> cd new_dir
250 CWD command successful.
FTP> put hpc.txt
200 PORT command successful.
150 Opening ASCII mode data connection for hpc.txt.
226 Transfer complete.
local: ALP$DKA0:[SMS.HPUX]HPC.TXT;2 remote: hpc.txt
526 bytes sent in 00:00:00.00 seconds (513.67 Kbytes/s)
FTP> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /usr/bin/ls.
total 16
-rw-r----- 1 501 501 507 Jun 9 15:45 hpc.txt

226 Transfer complete.
77 bytes received in 00:00:00.00 seconds (75.20 Kbytes/s)
FTP> pwd
257 "/new_dir" is current directory.
FTP> cd /
250 CWD command successful.
FTP> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /usr/bin/ls.
total 16
-rw-r----- 1 501 501 3305 Jun 9 15:45 hpux.txt
drwxr-x--- 2 501 501 96 Jun 9 15:45 new_dir
drwxr-xr-x 3 2 2 96 Jun 9 15:24 usr

226 Transfer complete.
208 bytes received in 00:00:00.00 seconds (203.13 Kbytes/s)
FTP> quit
221 Goodbye.
alp $

I can't easily run CuteFTP here, but a
Mozilla-like Web browser seems to like it
well enough, and it's firmly stuck in its own
directory tree (really: "/home/ftpg01",
apparently: "/").