아래의 내용은 HP document 입니다.
참조하시길.. 10.20 은 아래의 패치를 하시고 하셔야한다고 하네요..
How to setup a restricted user for FTP access DocId: BC0814KBRC00007719 Updated: 8/14/01 3:40:00 PM
PROBLEM
How can I setup a user for FTP access only, so that they will not be able to
access any other directories or files on the system?
On 11.0: I would like to have the following ftp access settings:
-- restrict the user to be active in their home directory and its
sub-directories only.
-- restrict the user to have up to max 5 FTP sessions only.
-- non-retrieval of the system configuration files, ie
/etc/passwd, core, and etc.
(On HP-UX 10.20, you need to use public domain wu-ftp, then the
below method patch is PHNE_23948)
RESOLUTION
Here's the instructions on achieving your design for ftp access into the server:
1)load in PHNE_23949 (or latest ftp/ftpd). This patch resolves a couple of
issues with ftpaccess.
2) create a user via SAM (eg. user= test1 group= none)
3) This user has ONLY ftp access, so it would be wise to
code the start-up program as /usr/bin/false
4) For the home directory, specify /home//. eg:
/home/test1/./ (explanation in man ftpaccess)/etc/passwd looks like
test1:qXznDQ1RUwqZ6:115:20:,,,:/home/test1/./:/usr/bin/false
**ignore the error with SAM not being able to create a /. directory.
5) all other questions in SAM are as per normal.
6) ensure that /usr/bin/false is also coded in a file /etc/shells
7) then edit-create the file /etc/ftpd/ftpaccess to have these lines:
class all test1,guest * <-- line#1
guestgroup none <-- line#2
limit all 5 Any /no-more-ftp-access <-- line#3
noretrieve /etc/passwd core <-- line#4
with #chmod 444 ftpaccess
#chown bin:bin ftpaccess
Explanation:
line#1 : 'class' is a verb
'all' is a class of users;
you can call it anything you like.
'guest' is a verb “test1” is the user name
'*' is the range of users allowed to ftp
into the machine.
You can restrict this further if you want to.
Do a man ftpaccess
line#2 : 'guestgroup' is a verb
: 'none' is the group name of the users
that have been coded via SAM
(see /etc/group to find out what group
that has)
line#3 : 'limit' is a verb
'all' as per line#1,the class of users.
'5' is the number of ftp sessions; in this case
its five.
You can change it to any number of your choice.
'Any' , do a man ftpaccess for explanation
'/no-more-ftp-access' is a filename that
contains a message to be displayed when the
limit is reached.
line#4 : types of files to restrict
8) then edit /etc/inetd.conf to add in '-a' argument for ftpd; thus:
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -a
9) inetd -c (to re-read the configuration file)
10) Create the following subdirecties and files:
a. ~test1/usr
#chown –R bin:bin usr
#chmod 555 usr
b. ~test1/usr/bin
#chown root bin
#chmod 555 bin
#cp -p /sbin/ls ~test1/usr/bin/ls
11) The ~test1/usr/bin/ls allows the use of the 'ls' command in ftp to find out
the files that are present in their directory.
12) test to verify
