System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Restrict users access to ftp and make su to root

 
Felix Tabares
Contributor

Restrict users access to ftp and make su to root

I need the ftp service is restricted, this measure of security on the server, which is the operating system 11.23 an user for du to root.

I know that file is edited to make this happen

thanks
4 REPLIES
VK2COT
Honored Contributor

Re: Restrict users access to ftp and make su to root

Hello,

Many possible scenarios. Start with:

a) Edit /var/adm/inetd.sec and
limit access to FTP daemon on the server.

b) Edit files in /etc/ftpd to tune up the
FTP services:

ftpaccess
ftpusers

c) Enable SU_ROOT_GROUP variable in
/etc/default/security config file and
make users that need to su(1M) to root be
part of that Unix group.

If I had it my way, I would disable FTP and
move to SSH/SFTP.

Likewise, maybe setting RBAC for some users
would help avoid the need to give them su(1M) access to root.

Cheers,

VK2COT
VK2COT - Dusan Baljevic
Steven E. Protter
Exalted Contributor

Re: Restrict users access to ftp and make su to root

Shalom,

the ftpaccess file is counter intuitive. You add people to it to restrict access.

Also, some ws-ftpd releases had bugs that allowed root access.

I would drop ftp in favor of openssh sftp if possible.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Tim Nelson
Honored Contributor

Re: Restrict users access to ftp and make su to root

proftp is also an option and available via IExpress on software.hp.com

Ismail Azad
Esteemed Contributor

Re: Restrict users access to ftp and make su to root

/etc/ftpd/ftpusers will deny access to ftp users and not allow. You will probably have to create this file. The same goes for /var/adm/inetd.sec. But if you are talking about completely deactivating ftp then you should be doing it in the /etc/inetd.conf file by commenting it out. It can also be done in /etc/services although HP does not recommend this.
Read, read and read... Then read again until you read "between the lines".....