HPE Community
Operating System - HP-UX
1830024 Members
17672 Online
109998 Solutions
New Discussion

anonymous ftp access to a trusted system (UX11i)

 
SOLVED
Go to solution
thijs lankhorst_1
Frequent Advisor

‎12-13-2004 01:59 AM

‎12-13-2004 01:59 AM

anonymous ftp access to a trusted system (UX11i)

Hi, i am trying to restrict anonymous ftp access on our 11i servers at work and know that i can setup a user.deny file in /etc/ftpd but thought that this was impossible on a trusted system anyway. However i can logon to the server using anonymous as uid/pw and then only get the following 3 files from the root dir when issuing mget * , etc/passwd,etc/group and bin/ls. This seems odd and was wondering why i will be able to logon as anonymous in the first place and secondly i am only able to get the above 3 files (which seem to be the files most wanted for security issues)? Can anybody enlighten me on the above. Much appreciated.
0 Kudos
2 REPLIES 2
Chris Wilshaw
Honored Contributor

‎12-13-2004 03:09 AM

‎12-13-2004 03:09 AM

Solution

Re: anonymous ftp access to a trusted system (UX11i)

Thijs,

The following is taken from the ftpd man page;

In order to permit anonymous FTP, there must be an entry in the passwd(4) database for an account named ftp. The password field should be *, the group membership should be guest, and the login shell should be /usr/bin/false. For example (assuming the guest group ID is 10):

ftp:*:500:10:anonymous ftp:/home/ftp:/usr/bin/false

The anonymous FTP directory should be set up as follows:

~ftp The home directory of the FTP account should be owned by user root and mode 555 (not writable). Since ftpd does a chroot() to this directory, it must have the following subdirectories and files:

~ftp/usr/bin This directory must be owned by root and mode 555 (not writable). The file /sbin/ls should be copied to ~ftp/usr/bin. This is needed to support
directory listing by ftpd. The command should be mode 111 (executable only). If the FTP account is on the same file system as /sbin, ~ftp/usr/bin/ls can be hard link, but it may not be a symbolic link, because of the chroot(). The command must be
replaced when the system is updated.


~ftp/etc This directory must be owned by root and mode 555 (not writable). It should contain versions of the files passwd and group. See passwd(4) and group(4). These files must be owned by root and mode 444
(readable only). These files must be present for the LIST command to be able to produce owner names rather than numbers.

~ftp/etc/passwd This file should contain entries for the ftp user and any other users who own files under the anonymous ftp directory. Such entries should have *
for passwords. Group IDs must be listed in the anonymous FTP group file,

~ftp/etc/group. The path names of home directories in ~ftp/etc/passwd must be
with respect to the anonymous FTP home directory.

~ftp/etc/group This file should contain the group names associated with any group IDs in file ~ftp/etc/passwd and any group IDs of files in the anonymous FTP subdirectories.

~ftp/pub (optional) This directory is used by anonymous FTP users to deposit files on the system. It should be owned by user ftp and should be mode 777 (readable and writable by all).

~ftp/dist (optional) Directories used to make files available to anonymous ftp users should be mode 555 (not writable), and any files to be distributed should be owned by root and mode 444 (readable only) so that they cannot be modified or removed by anonymous FTP users.
0 Kudos
thijs lankhorst_1
Frequent Advisor

‎12-14-2004 12:41 AM

‎12-14-2004 12:41 AM

Re: anonymous ftp access to a trusted system (UX11i)

all done
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.