HPE Community
Operating System - HP-UX
1834052 Members
2366 Online
110063 Solutions
New Discussion

another ftp question

 
SOLVED
Go to solution
Ron Irving
Trusted Contributor

‎06-09-2009 09:01 AM

‎06-09-2009 09:01 AM

another ftp question

Ok...I'm going to re-ask this differently. Currently our /etc/passwd file contains the line for ftpuser:

ftpuser:o7dtD1r0FnNaM:113:113:,,,:/trans/./:/usr/bin/rsh

ftpuser logs in, and gets dropped in the /trans directory - no way up (good), no way down (bad)

We wish the ftpuser to have access to the subdirectories of /trans, but nothing above it, (/etc, /usr, etc.)

Any ideas?
Should have been an astronaut.
0 Kudos
12 REPLIES 12
Michal Kapalka (mikap)
Honored Contributor

‎06-09-2009 09:08 AM

‎06-09-2009 09:08 AM

Re: another ftp question

hi,

use vsftpd instead od default ftp server in HP-UX.

mikap
0 Kudos
Rick Garland
Honored Contributor

‎06-09-2009 09:29 AM

‎06-09-2009 09:29 AM

Re: another ftp question

There is DocId: KBRC00008355 that details setting up a restricted FTP server on HPUX. This is somewhat old and you may want to look for a newer doc.

In the above doc it has the FTP user set with a shell of /usr/bin/false.

My choice now is vsftpd.

0 Kudos
Mel Burslan
Honored Contributor

‎06-09-2009 09:29 AM

‎06-09-2009 09:29 AM

Re: another ftp question

what is the ownership of /trans and what are the permissions ? i.e., output of :

ll -d /trans
________________________________
UNIX because I majored in cryptology...
0 Kudos
Ron Irving
Trusted Contributor

‎06-09-2009 09:38 AM

‎06-09-2009 09:38 AM

Re: another ftp question

drwxrwxrwx 71 root ftpuser 16384 Jun 9 12:22 /trans/

so, that shoudn't be an issue, should it?
Should have been an astronaut.
0 Kudos
Michal Kapalka (mikap)
Honored Contributor

‎06-09-2009 09:43 AM

‎06-09-2009 09:43 AM

Re: another ftp question

hi,

i think this a transport directory from SAP,

you should add the group for the ftp user,

that belongs to the SAP user, under which is the SAP running.

because the SAP creating some transaction, under this user.

mikap
0 Kudos
Ron Irving
Trusted Contributor

‎06-09-2009 09:44 AM

‎06-09-2009 09:44 AM

Re: another ftp question

No SAP running on this server. Intersystems Cache. Run for the hills.
Should have been an astronaut.
0 Kudos
Steven Schweda
Honored Contributor

‎06-09-2009 10:16 AM

‎06-09-2009 10:16 AM

Re: another ftp question

> Ok...I'm going to re-ask this differently.

Different is not always better.

> Currently our /etc/passwd file [...]

Is that all the configuration you've done?
What about ftpaccess?

> [...] no way down (bad)

What, exactly, does this mean? What,
exactly, fails? /usr/bin/rsh does restrict
"cd" operation. "man sh-bourne":

[...] The cd command cannot be
executed by rsh.

Perhaps /usr/bin/rsh was not the ideal choice
here.

Did you read up on guest accounts?
0 Kudos
Ron Irving
Trusted Contributor

‎06-09-2009 10:22 AM

‎06-09-2009 10:22 AM

Re: another ftp question

No way down means I cannot get to the subdirectories of /trans. Currently, our business users that use this directory use an ftp client, (Cute FTP.) Using that, when they login, they are at the /trans directory, but they can go anywhere on the system, up to root, or /etc, or /usr, and down to the subdirectory level of /trans. We need to put a stop to regular users accessing the / directory. That's a disaster waiting to happen.
Should have been an astronaut.
0 Kudos
Michal Kapalka (mikap)
Honored Contributor

‎06-09-2009 10:26 AM

‎06-09-2009 10:26 AM

Solution

Re: another ftp question

hi,

disable using default hp-ux ftp server and install the vsftp, there is a lot options how to configure it, there is option that the user can stay only in his home directory ....

mikap
0 Kudos
Mel Burslan
Honored Contributor

‎06-09-2009 10:28 AM

‎06-09-2009 10:28 AM

Re: another ftp question

Ron,

This, i.e., setting up chroot'ed environments, is not my forte, but when you set up an account and jail it to a certain directory, anything that is not internal to the shell, will be non-existent to the user. Also the restricted shell might come into play and not allow the user to perform certain functions. I am not sure how well a chroot'ed account plays with a restricted shell if they play at all. You might have to create a bin directory under this jailed directory and place the command executables by copying them from the default OS location into this bin directory for the ftponly user to use. Again, most of what I am telling you here is common sense. I have not set up a chrooted account for a long time myself.

Hope this helps a little.
________________________________
UNIX because I majored in cryptology...
0 Kudos
Ron Irving
Trusted Contributor

‎06-09-2009 10:31 AM

‎06-09-2009 10:31 AM

Re: another ftp question

I will put this on the back burner until tomorrow...my eyes hurt ;)

I have downloaded vsftpd, and will put into the development system tomorrow...hopefully no one will mass at my door with torches and pitchforks.

Stay tuned.
Should have been an astronaut.
0 Kudos
Steven Schweda
Honored Contributor

‎06-09-2009 12:53 PM

‎06-09-2009 12:53 PM

Re: another ftp question

> I have downloaded vsftpd [...]

You may be working harder than you need to.

> [...] We need to put a stop to regular
> users accessing the / directory. [...]

That's what a guest account is intended to
do. Reading the documentation can be very
enlightening. Honest.

alp $ ftp dy
220 dy.antinode.info FTP server (Version 1.1.214.4(PHNE_36129) Mon Apr 23 13:44:14 GMT 2007) ready.
Connected to dy.antinode.info.
Name (dy.antinode.info:sms): ftpg01
331 Password required for ftpg01.
Password:
230 User ftpg01 logged in. Access restrictions apply.
FTP> pwd
257 "/" is current directory.
FTP> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /usr/bin/ls.
total 0
drwxr-xr-x 3 2 2 96 Jun 9 15:24 usr

226 Transfer complete.
72 bytes received in 00:00:00.00 seconds (70.31 Kbytes/s)
FTP> put hpux.txt
200 PORT command successful.
150 Opening ASCII mode data connection for hpux.txt.
226 Transfer complete.
local: ALP$DKA0:[SMS.HPUX]HPUX.TXT;9 remote: hpux.txt
3443 bytes sent in 00:00:00.00 seconds (3362.30 Kbytes/s)
FTP> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /usr/bin/ls.
total 16
-rw-r----- 1 501 501 3305 Jun 9 15:45 hpux.txt
drwxr-xr-x 3 2 2 96 Jun 9 15:24 usr

226 Transfer complete.
141 bytes received in 00:00:00.00 seconds (137.70 Kbytes/s)
FTP> mkdir new_dir
257 MKD command successful.
FTP> cd new_dir
250 CWD command successful.
FTP> put hpc.txt
200 PORT command successful.
150 Opening ASCII mode data connection for hpc.txt.
226 Transfer complete.
local: ALP$DKA0:[SMS.HPUX]HPC.TXT;2 remote: hpc.txt
526 bytes sent in 00:00:00.00 seconds (513.67 Kbytes/s)
FTP> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /usr/bin/ls.
total 16
-rw-r----- 1 501 501 507 Jun 9 15:45 hpc.txt

226 Transfer complete.
77 bytes received in 00:00:00.00 seconds (75.20 Kbytes/s)
FTP> pwd
257 "/new_dir" is current directory.
FTP> cd /
250 CWD command successful.
FTP> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /usr/bin/ls.
total 16
-rw-r----- 1 501 501 3305 Jun 9 15:45 hpux.txt
drwxr-x--- 2 501 501 96 Jun 9 15:45 new_dir
drwxr-xr-x 3 2 2 96 Jun 9 15:24 usr

226 Transfer complete.
208 bytes received in 00:00:00.00 seconds (203.13 Kbytes/s)
FTP> quit
221 Goodbye.
alp $

I can't easily run CuteFTP here, but a
Mozilla-like Web browser seems to like it
well enough, and it's firmly stuck in its own
directory tree (really: "/home/ftpg01",
apparently: "/").
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.