HPE Community
Operating System - HP-UX
1827473 Members
1881 Online
109965 Solutions
New Discussion

Limiting FTP access to only one directory

 
SOLVED
Go to solution
Yogeeraj_1
Honored Contributor

‎05-20-2002 07:53 PM

‎05-20-2002 07:53 PM

Limiting FTP access to only one directory

Hello experts,

We have one application which requires users to upload image files to my L1000 HP9000 server running HP-UX 11.

Unfortunately, we are not yet able to design a JSP application that can allow us to do so.

We are thinking about a simple solution where we would install a graphical FTP software that will allow the end-users to upload their files.

Our problem is that with this setup, the end-users are able to browse through all the directories on the server.

Is there a way to restrict access to only one directory to a user?

Thank you in advance for your guidance.

best regards
yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
0 Kudos
Reply
22 REPLIES 22
Vijeesh CTK
Trusted Contributor

‎05-20-2002 07:59 PM

‎05-20-2002 07:59 PM

Re: Limiting FTP access to only one directory



hi

Use 'rsh' for that particular user

CTK
0 Kudos
Reply
Michael Tully
Honored Contributor

‎05-20-2002 08:04 PM

‎05-20-2002 08:04 PM

Re: Limiting FTP access to only one directory

Hi,

You need to have a look at the man page for 'ftpaccess'. Even if your using a GUI based application the permissions should still be restrictive to the designated directory.

In the /etc/passwd file, the sample entry is:

guest::100:92:My Guest Account:/ftp/./intray:/etc/ftponly

When guest successfully logs in, the ftp server will chroot(/ftp) and then chdir to './intray'. The guest user will only be able to access the directory structure under /ftp (which will look and act as / to guest), just as an anonymous FTP user would.

HTH
~Michael~
Anyone for a Mutiny ?
0 Kudos
Reply
Yogeeraj_1
Honored Contributor

‎05-20-2002 08:06 PM

‎05-20-2002 08:06 PM

Re: Limiting FTP access to only one directory

Dear Mr. Vijeesh CTK

Thank you for the fast reply.

Not clear about "rsh"

please ellaborate.

Is it a software on the client?

please an example

thanks
Yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
0 Kudos
Reply
Michael Tully
Honored Contributor

‎05-20-2002 08:10 PM

‎05-20-2002 08:10 PM

Re: Limiting FTP access to only one directory

Hi,

This could be better for your requirements:

Explanation here:
http://www.wu-ftpd.org

Software can be found here from the porting centre.
http://hpux.connect.org.uk/hppd/hpux/Networking/FTP/wu_ftpd-2.6.1/

Cheers
~Michael~
Anyone for a Mutiny ?
0 Kudos
Reply
Niel Greeff_1
Advisor

‎05-20-2002 08:18 PM

‎05-20-2002 08:18 PM

Re: Limiting FTP access to only one directory

Step-by-step (as the root user)

1. cp /usr/newconfig/etc/ftpd/ftpaccess
/etc/ftpd/ftpaccess

2. create a group for ftp users called ftponly

3. create the new ftp user (say nielg) and restrict hime to /home/nielg

useradd -m -d /home/nielg -s /usr/bin/false -g ftponly nielg

4. Add this false shell to the file (just add the /usr/bin/false line to the file)

5. Change the /etc/inetd.conf file (the ftp line) to read:
ftp tcp stream nowait root /usr/lbin/ftpd ftpd -a

6. Now edit the /etc/passwd file and change the directory setting for the user: add /./ at the back of the directory

(if the line used to read:
nielg:98732jgjh:100:103::/home/nielg:/usr/bin/false

Make it :

nielg:98732jgjh:100:103::/home/nielg/./:/usr/bin/false

7. Restart inetd "inetd -c"

That should be it


Hope it helps
N
Well, we all try
0 Kudos
Reply
Vijeesh CTK
Trusted Contributor

‎05-20-2002 08:22 PM

‎05-20-2002 08:22 PM

Re: Limiting FTP access to only one directory


hi

u have to specify rsh for ur user

eg

mbr034:m9uORGYWXHAmQ:1034:1000:Cl. No. = 34:/usr1/setl/member/mbr034:/usr/bin/rsh

one of my user's passwd entry

and Micheal's suggestion is also good here too i have done it thats creating ftp group

CTK
0 Kudos
Reply
Niel Greeff_1
Advisor

‎05-20-2002 08:23 PM

‎05-20-2002 08:23 PM

Re: Limiting FTP access to only one directory

Oops - sorry

My step 5 should be : Add the entry to the /etc/shells file (just add the line /usr/bin/false)
Well, we all try
0 Kudos
Reply
Michael Tully
Honored Contributor

‎05-20-2002 08:38 PM

‎05-20-2002 08:38 PM

Re: Limiting FTP access to only one directory

Hi,

'rsh' = restricted shell which is on the HP-UX server.

Michael
Anyone for a Mutiny ?
0 Kudos
Reply
Yogeeraj_1
Honored Contributor

‎05-20-2002 08:56 PM

‎05-20-2002 08:56 PM

Re: Limiting FTP access to only one directory

Thank you all for your replies.
==========================
Niel Greeff
==========================
Have gone through the steps.
The last line about "7. Restart inetd "inetd -c" " worries me a bit.
Can i do it on a production server? Will it not disconnect all connected users?
Have a look at the attachment too.


==========================
Mr. Michael Tully
Mr. Vijeesh CTK
==========================
Still does not work.
See attached a sample of the screen i get.
The user can see the whole tree structure.
Below the line from /etc/passwd:
bn:iwhBIpeNlXxFI:128:20:FTP-Brinda Nattoo,PDD-PHX,,:/prod/webroot/pdd/croquis:/usr/bin/rsh

Please advise.
Will i really need to replace my FTP server for it work?
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
0 Kudos
Reply
Niel Greeff_1
Advisor

‎05-20-2002 09:07 PM

‎05-20-2002 09:07 PM

Re: Limiting FTP access to only one directory

The inetd -c will re-read the inetd.conf and is OK for a running system (see man inetd)
Well, we all try
0 Kudos
Reply
Vijeesh CTK
Trusted Contributor

‎05-20-2002 09:15 PM

‎05-20-2002 09:15 PM

Re: Limiting FTP access to only one directory


hi

ok so u want the user to not view onther directories. then niel's way is good.. I am having same thing in my production server. U can do inetd -c , it wil rerad the configuration file

CTK
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎05-20-2002 09:19 PM

‎05-20-2002 09:19 PM

Re: Limiting FTP access to only one directory

Hi,

Use ftpaccess to restrict FTP access to specific users or directories. man ftpaccess for more information.

You may want to look at this link as well:

http://web.hpl.hp.com/services/rcsweb/techs/post-host/ftp/ftpaccess.html

With regards to inetd -c, it only sends a SIGHUP to the inetd daemon and re-reads the configuration file during the reloading. This is different from a SIGTERM which occurs when you run inetd -k (which kills the daemon). There is no observable impact to running inetd -c. The reloading is so fast that your users will not detect it at all.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Yogeeraj_1
Honored Contributor

‎05-21-2002 02:02 AM

‎05-21-2002 02:02 AM

Re: Limiting FTP access to only one directory

hello,
thank you all for the replies.

I was trying Mr. Niel Greeff option.

The problem now is that ALL other users can no longer ftp to the server!!

Any ideas?

I need normal ftp access for all the users in the group "IT"

Changes made:
-----------------------------------------------
a. cp /usr/newconfig/etc/ftpd/ftpaccess /etc/ftpd/ftpaccess
b. Created group ftp only.
# cat /etc/group|grep ftp
ftponly::104:bn

c. Modified existing user profiles:
# cat /etc/passwd|grep bn
bn:kxYRxp1j9zS0A:128:20:FTP-Brinda Nattoo,PDD-PHX,,:/prod/webroot/pdd/croquis/./
:/usr/bin/false
#

d. Check /etc/inetd.conf
# cat /etc/inetd.conf|grep ftp
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -u 002 -a
#

e. Created file /etc/shells
# more /etc/shells
/usr/bin/false
#
-----------------------------------------------

Now it works for user "bn" however all other users can no longer FTP. It gives error message: "530 User deg access denied..."

Please help!!


Best Regards
Yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
0 Kudos
Reply
Niel Greeff_1
Advisor

‎05-21-2002 02:35 AM

‎05-21-2002 02:35 AM

Re: Limiting FTP access to only one directory

The problem is the /etc/shells file.

This file contains all the shells that are allowed to be used as FTP shells. If no /etc/shells file exsists, the system will allow the default POSIX shell (sh) to be used. Once you added this file and only the /usr/bin/false shell, only users with that shell will be allowed to ftp into this machine. The solution is to add the shell(s) for the other user(s) you want to allow ftp access to this file. To add the default shell /sbin/sh to the /etc/shells file

Hope that will finaly solve the problem.

N
Well, we all try
0 Kudos
Reply
Yogeeraj_1
Honored Contributor

‎05-21-2002 02:47 AM

‎05-21-2002 02:47 AM

Re: Limiting FTP access to only one directory

Hello,

thank you for the fast reply.

I have added additional lines to the /etc/shells:
==============================================
# cat /etc/shells
/usr/bin/false
/usr/bin/sh
/usr/bin/ksh
/usr/bin/csh
#
==============================================
All users are able to login now.

However,
a. The restricted users can see their root directory (as restricted) but not the sub-directories. (see attachment)
b. The power users are experiencing the same as above.

Any more hints will be most welcomed.

thank you in advance

Best Regards
yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
0 Kudos
Reply
Yogeeraj_1
Honored Contributor

‎05-21-2002 02:50 AM

‎05-21-2002 02:50 AM

Re: Limiting FTP access to only one directory

oops! the attachment.
;)
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
0 Kudos
Reply
Niel Greeff_1
Advisor

‎05-21-2002 03:01 AM

‎05-21-2002 03:01 AM

Re: Limiting FTP access to only one directory

Forgot something.

For the power users, make sure they are not in the ftponly group, and do not add the /./ at the back of their home directories in the /etc/passwd file.

For the ftp only users, their home directory will be seen as the root directory now. They will not be able to "see" anything else, because they do not have access to the "ls" command anymore. You need to do the following in each one's home directory:

mkdir usr
mkdir usr/bin
cp /usr/bin/ls usr/bin/ls
chmod -R 555 usr
chown -R bin:bin usr

This gives them the ls command (which will allow for directory listings)

N
Well, we all try
0 Kudos
Reply
Yogeeraj_1
Honored Contributor

‎05-21-2002 03:46 AM

‎05-21-2002 03:46 AM

Re: Limiting FTP access to only one directory

 
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
0 Kudos
Reply
Niel Greeff_1
Advisor

‎05-21-2002 04:16 AM

‎05-21-2002 04:16 AM

Re: Limiting FTP access to only one directory

Check the primary group for the bn user. Make sure that this user is in group 104 (change in the /etc/passwd file or use the usermod command)

What happens to the power users ? Can they not log in ? or can they not change to any other directory ? or not see any other directory ?
Well, we all try
0 Kudos
Reply
Yogeeraj_1
Honored Contributor

‎05-21-2002 04:41 AM

‎05-21-2002 04:41 AM

Re: Limiting FTP access to only one directory

Hello,
1.
"Check the primary group for the bn user. Make sure that this user is in group 104 (change in the /etc/passwd file or use the usermod command)"

Used SAM to set the primary group. Still NOT ok.
-----------------------------------------------
Login Name: bn

User ID (UID): 128

Home Directory: /prod/webroot/p>

[ Primary Group Name... ] ftponly

[ Start-Up Program... ] /usr/bin/false

Real Name: FTP-Brinda Natt>
Office Location: PDD-PHX
Office Phone:
Home Phone:

[ Modify Password Options... ]
-----------------------------------------------

2.
"What happens to the power users ? Can they not log in ? or can they not change to any other directory ? or not see any other directory ? "

OOPS! it ok now! i don't know how!!

Thank you again for your time and additional guidances.

NB. restricted users still not ok.

Best Regards
Yogeeraj

No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
0 Kudos
Reply
Sanjay_6
Honored Contributor

‎05-21-2002 04:48 AM

‎05-21-2002 04:48 AM

Solution

Re: Limiting FTP access to only one directory

Hi,

Use ftpaccess. Do "man ftpaccess" for more info. Also take a look at the thread below on how to setup ftpaccess on your system.

http://us-support.external.hp.com/cki/bin/doc.pl/sid=f3889157083aef0a6e/screen=ckiDisplayDocument?docId=500000000092476

Hope this helps.

Regds
Reply
Yogeeraj_1
Honored Contributor

‎05-21-2002 05:24 AM

‎05-21-2002 05:24 AM

Re: Limiting FTP access to only one directory

Great Mr. Sanjay!!

It works :)

I got the only thing missing part from the document found at the link you have posted here.

** NOTE: When providing the 'ls' command, use /sbin/ls, not /usr/bin/ls.


Did the trick!

Thank you all for responding to my problem. I really appreciate that i have been able to solve my problem today itself.

I will be doing some further tests, if anything further arises, i will post here....

Best Regards to you all
Yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.