topic Re: ftp access w/o shell access in Operating System - HP-UX

ftp access w/o shell access

Chris Little_1 — Tue, 17 Jul 2001 14:41:56 GMT

we are running 11.0 and want to set up an account with ftp only access. Is this possible?

Re: ftp access w/o shell access

A. Clay Stephenson — Tue, 17 Jul 2001 14:51:17 GMT

Hi Chris,

If I understand your question, you are trying to set up anonymous ftp. Man ftpd and it takes you through all the steps required.

Re: ftp access w/o shell access

Chris Little_1 — Tue, 17 Jul 2001 14:53:54 GMT

no it's for a particular user who doesn't need shell access.

Re: ftp access w/o shell access

MANOJ SRIVASTAVA — Tue, 17 Jul 2001 14:55:30 GMT

Hi Chris

Setup a normal user with ftp access , and in the .profile of the user please enter exit in the end so that whenever he makes a normal login he will never be able to get in the system . Where as he can just do ftp.

Manoj Srivastava

Re: ftp access w/o shell access

A. Clay Stephenson — Tue, 17 Jul 2001 15:09:11 GMT

Hi again,

I understand now and Manoj is close but one problem is that the user can issue '!' command within ftp to get to a shell. You need to do something like this within your user's .profile
or have your .profile (if setting up for more than 1 user) call a script which does this:

SHELL=/usr/bin/false
export SHELL
ftp
exit 0

You also need to make the .profile owned by root and not writable by this user so that he can't change the .profile. This too isn't quite foolproof because You probably would like the user to be have write permission in his home directory for creating files. This would allow him to remove or replace his .profile. If he is not allowed write access in the home directory then you should be secure enough.

Regards, Clay

Re: ftp access w/o shell access

Haitham Hamad — Tue, 17 Jul 2001 15:10:00 GMT

You can do the following
1) vi /usr/bin/ftpshell
type exit 0
save file
2) modify the user's shell to be /usr/bin/ftpshell
You can use usermod command or SAM
3) edit /etc/shells files and make sure it contains all shells that are used includes /usr/bin/ftpshell
4) Create a group ftponly or any other name
5) make the user a member of that group
6) edit /etc/ftpd/ftpaccess and check the group is specifed on the guestgroup line
7) Edit /etc/inetd.conf and modify ftp to look like this
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -a -l

Test the access

Hope this helps
Haitham

Re: ftp access w/o shell access

Deshpande Prashant — Tue, 17 Jul 2001 15:12:41 GMT

HI
On my system I have set a ftp user id with restricted shell "/usr/bin/rsh". This gives user login shell with restricted access.
If you don't want ftp user to get login shell use Manoj's suggestion of putting "exit" at end of .profile of that user.

Thanks.
Prashant.

Re: ftp access w/o shell access

MANOJ SRIVASTAVA — Tue, 17 Jul 2001 15:15:49 GMT

Hi Chris

I again agree with Clay but you can always define rsh as the default shell , this would just restrict him to his home directory even in case he want to run ! in ftp session. Also this with exit in .profile should do the magic.

Manoj Srivastava

Re: ftp access w/o shell access

Joseph Chakkery — Tue, 17 Jul 2001 15:20:07 GMT

Hello,

I think creation of normal user and put exit as the last line of the .profile file of that user will solve ur problem.

Regards
Joe.

Re: ftp access w/o shell access

Patrick Wallek — Tue, 17 Jul 2001 15:32:34 GMT

Why not just set the users shell in the password file to /usr/bin/false, make sure that /usr/bin/false is in /etc/shells and go from there. That way the user can ftp to the machine, but they have no real shell so they have no shell access.