topic Re: Restrict FTP access to a directory other than the homedir in Operating System - HP-UX

Restrict FTP access to a directory other than the homedir

Luis Toro — Mon, 09 May 2005 14:53:16 GMT

We use the ftpaccess to setup restricted ftp access for "ftp only" accounts. Using /bin/false, and the "guest group", these accounts can only be used to ftp to a specific directory. My new requirement is to restrict the ftp access for regular user accounts to a specific directory, other than their home directory, and restrict it such that they can "cd" out of that ftp directory.
Thanks

Re: Restrict FTP access to a directory other than the homedir

Isralyn Manalac_1 — Mon, 09 May 2005 21:52:52 GMT

You might want to consider chroot for sftp. I've attached the ssh release notes for your reference.

Regards,

Isralyn

Re: Restrict FTP access to a directory other than the homedir

Luis Toro — Tue, 10 May 2005 08:07:13 GMT

Thanks for the reply, but I don't think ssh is an option since these are endusers that have a predefined [ftp] process. What I'm trying to do is make sure they are restricted when doing an FTP to a directory other than their homedir. The easy option is to create "ftp only" accounts for each user and use the ftpaccess file to configure them as "guest" accounts.

Re: Restrict FTP access to a directory other than the homedir

David Lodge — Fri, 17 Jun 2005 05:35:15 GMT

Look in the ftpaccess file (man ftpaccess). You can configure this to allow 'guest' users. (Note: guest users are *not* anonymous)

All guest users are locked into a chroot gaol which is defined in /etc/passwd.

In essence:
1. Create an ftp group
2. Edit /etc/inetd.conf to add '-a' to the ftpd flags, then reload inetd's conf file (inetd -c)
3. Create a simple /etc/ftpd/ftpaccess file, with something like:
# Defines a class of users - this is required
class users real,guest *
# Any members of the ftp group will be chroot'd
guestgroup ftp
# Don't print the FTP/OS version on login
suppressversion yes
# Logging - for debugging purposes
log commands real,guest,anonymous
log transfers real,guest,anonymous * IN,OUT

4. Create your user, put it in the 'ftp' group and assign a shell of /usr/bin/false (to stop shell logins). The home directory for the user should be /./; for example:
useradd -g ftp -s /usr/bin/false -c "Chroot FTP user,,," -d /var/opt/staging/./foo foo
5. Create the home directory (in the above example: /var/opt/staging/foo)

One point about this; by default they won't be able to do an 'ls' command from within FTP - but they can still use 'nlist'

Re: Restrict FTP access to a directory other than the homedir

jaru_1 — Wed, 08 Oct 2008 22:49:10 GMT

hi , i use the ftpaccess to setup restricted ftp access for "ftp only", its work, but i can't see the files in the directory only from command line i can see the files.

Re: Restrict FTP access to a directory other than the homedir

Steven Schweda — Thu, 09 Oct 2008 02:28:13 GMT

> hi , [...]

It would be better to start a new thread with
your new question, rather than waking up this
very old and mostly unrelated thread.

When you do that, show an "ls -lR" listing
for a user's home directory.

Or, do a Forum search, and look for your
problem, which has almost certainly been
covered before.