topic Re: Secure ftp in Operating System - HP-UX

Secure ftp

Andy Macleod — Thu, 14 Nov 2002 16:00:41 GMT

One of the items in my roll out of a secure ftp solution is to insert /./ (chroot) into the path of a ftp users home directory.

but when I ftp in using this user's id and do the pwd comand I can still see the full path.

Can anyone think why this is ?

Re: Secure ftp

Christopher McCray_1 — Thu, 14 Nov 2002 16:06:21 GMT

Are you using ftpaccess?

Look at this:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xa9635c7609e9d61190050090279cd0f9,00.html

Hope this helps

Chris

Re: Secure ftp

Christopher McCray_1 — Thu, 14 Nov 2002 16:06:31 GMT

Hello,

What does the entire entry in the passwd file say?

Do you have something like /usr/bin/false for the users default shell?

Chris

Re: Secure ftp

Andy Macleod — Thu, 14 Nov 2002 18:24:49 GMT

I think I've sorted it.
I've set up a new group and a new shell called ftpshell.

The shell contains exit 0, then I've copied the ftpaccess file to /etc/ftpd/ and editied it so the ftponly group is the secureftp group.
then i've sorted all the permissions and ownership.

I then created a file /etc/shells and listed all the shells inculding the new ftpshell, cp'd the ls cmd to a sub dir usr/bin withing the ftpusers home dir.

Here's the link I found
http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000063248362

Re: Secure ftp

Andy Macleod — Fri, 15 Nov 2002 10:18:19 GMT

If I now want to enable ls and rename for the ftp user, what do I need to do?

I've changed the lines in /etc/ftpd/access to yes for the items rename overwrite and delete but I still cannot do an ls or rename.

Please help

Re: Secure ftp

Andreas Voss — Fri, 15 Nov 2002 10:32:38 GMT

Hi,

for listing you have to copy /sbin/ls to the home directory of the ftp user.
First create usr/bin under the home dir of the ftp user ie:
umask 222
mkdir -p /home/user/usr/bin

Then copy the ls binary:
cp -p /bin/ls /home/user/usr/bin

Regards

Re: Secure ftp

Andy Macleod — Fri, 15 Nov 2002 10:51:36 GMT

I've done all that and it still doesnt work.

I've played with combinations of shells and groups and the only way I can get get rename to work is to remove the ftpuser from my secureftp (ftponly) group, but that then allows the user to move around the file structure.

Any ideas ?
here's a copy of my ftpaccess file

loginfails 2

class local real,guest,anonymous *.domain 0.0.0.0
class remote real,guest,anonymous *

limit local 20 Any /etc/msgs/msg.toomany
limit remote 100 SaSu|Any1800-0600 /etc/msgs/msg.toomany
limit remote 60 Any /etc/msgs/msg.toomany

readme README* login
readme README* cwd=*

message /welcome.msg login
message .message cwd=*

compress yes local remote
tar yes local remote

# allow use of private file for SITE GROUP and SITE GPASS?
private yes

# passwd-check []
passwd-check rfc822 warn

log commands real
log transfers anonymous,real inbound,outbound
shutdown /etc/shutmsg

# all the following default to "yes" for everybody
delete yes guest,anonymous # delete permission?
overwrite yes guest,anonymous # overwrite permission?
rename yes guest,anonymous # rename permission?
chmod no anonymous # chmod permission?
umask no anonymous # umask permission?

# specify the upload directory information
upload /var/ftp * no
upload /var/ftp /incoming yes root daemon 0600 dirs
upload /var/ftp /bin no
upload /var/ftp /etc no

# directory aliases
alias inc /incoming

# cdpath
cdpath /incoming
cdpath /pub
cdpath /

# path-filter...
path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-

# specify which group of users will be treated as "guests".
guestgroup secureftp

Re: Secure ftp

Andy Macleod — Fri, 15 Nov 2002 10:52:27 GMT

Here's what I see when I log on

230 User hostftp1 logged in. Access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/hostftp1" is current directory.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /usr/bin/ls.
226 Transfer complete.

But the ls command doesnt show the 2 files I've just put in there either.

Re: Secure ftp

john korterman — Fri, 15 Nov 2002 10:55:05 GMT

Hi,
When you establish the ftp session, does the system then say "Users logged in. Access restrictions apply"?
If you execute "pwd" immediately after you have established your ftp session, it should show what has been entered after the full stop in the 6th field of the definition in /etc/passwd. Does it do that?

regards,
John K.

Re: Secure ftp

john korterman — Fri, 15 Nov 2002 11:14:42 GMT

Hi again,
The way I see the sequence of question/answers here, you can probably guess my next question (!): Did you copy the statically linked ls command from /sbin/ls (which is the correct one) or?

regards,
John K.

Re: Secure ftp

Andy Macleod — Fri, 15 Nov 2002 11:17:03 GMT

I did this

cd /home/username
mkdir usr
mkdir usr/bin
cp -p /sbin/ls usr/bin
chown -R bin:bin usr
chmod -R 555 usr

Re: Secure ftp

john korterman — Fri, 15 Nov 2002 12:13:01 GMT

Hmm,
.... almost out of ideas. Does it make a difference to use "dir"?

regards,
John K.

Re: Secure ftp

Andy Macleod — Fri, 15 Nov 2002 12:38:04 GMT

Nope - HELP !

Re: Secure ftp

john korterman — Fri, 15 Nov 2002 13:54:05 GMT

Hi,
have you made the ftp-connection from the server itself or from a PC client?

regards,
John K.

Re: Secure ftp

Christopher McCray_1 — Fri, 15 Nov 2002 14:21:07 GMT

Hello,

You need to have that usr/bin/ls tree under the hostftp1 directory the user is chroot'ed to .

I also noticed that you kept a lot of the default variables in you ftpaccess file, which won't work. For example:

# specify the upload directory information
upload /var/ftp * no
upload /var/ftp /incoming yes root daemon 0600 dirs
upload /var/ftp /bin no
upload /var/ftp /etc no

The /var/ftp should be changed to what you have, like /home/user and do you even have an incoming directory, I believe it was hostftp1:

upload /home/user /ftpuser1 yes 0600 dirs

Do a search on ftpaccess and really read the man pages clarification on all these values; you may not even need them all. There are also release notes in /usr/share/doc/RelNotes_newftp.txt

Hope this helps

Chris