HPE Community
Operating System - HP-UX
1825576 Members
2109 Online
109682 Solutions
New Discussion

/etc/ftpaccess file question

 
Ronelle van Niekerk
Regular Advisor

‎07-20-2003 06:47 PM

‎07-20-2003 06:47 PM

/etc/ftpaccess file question

If I place an entry for a user in the ftpaccess file can I still use the -u option in inetd.conf?
Or will we have to place another entry in the ftpaccess file for all the other users?

We only want to restrict one user and leave all the others the way they are now.
rm -r /it/managers
0 Kudos
Reply
8 REPLIES 8
Con O'Kelly
Honored Contributor

‎07-20-2003 06:57 PM

‎07-20-2003 06:57 PM

Re: /etc/ftpaccess file question

Hi

If you only want to restrict 1 user & its a simple scenario, then I think you can add that username to /etc/ftpd/ftpusers file.
See man ftpusers.

This will ensure that the user cannot login using ftp.

Cheers
Con
0 Kudos
Reply
Ronelle van Niekerk
Regular Advisor

‎07-20-2003 07:14 PM

‎07-20-2003 07:14 PM

Re: /etc/ftpaccess file question

I want to restrict the user's access, not ban the user completely.
rm -r /it/managers
0 Kudos
Reply
Rajeev Shukla
Honored Contributor

‎07-20-2003 07:16 PM

‎07-20-2003 07:16 PM

Re: /etc/ftpaccess file question

For restricting users from doing ftp the file is /etc/ftpusers in 10.20 and 11.x its /etc/ftpd/ftpusers

All the users you put in that file (/etc/ftpd/ftpusers) will no longer have access to ftp on this server.

Rajeev
0 Kudos
Reply
Ronelle van Niekerk
Regular Advisor

‎07-20-2003 07:24 PM

‎07-20-2003 07:24 PM

Re: /etc/ftpaccess file question

Let me clarify:

We want to "restrict" this specific user to one directory and make suer the file has specific permissions.

I know the line for this in /etc/ftpd/ftpaccess, my question is:

If I insert this line for the user do I have to add another line for all the other users that we do not want to "restrict" or can we leave the ftp line in inetd.conf as is with the extra -a option?
rm -r /it/managers
0 Kudos
Reply
twang
Honored Contributor

‎07-20-2003 07:30 PM

‎07-20-2003 07:30 PM

Re: /etc/ftpaccess file question

I prefer using the /var/adm/inetd.sec file to specify what ip address can use ftp,
sample entry is as follows:
ftp allow 192.1.168.46 192.1.169
0 Kudos
Reply
Michael Tully
Honored Contributor

‎07-20-2003 07:34 PM

‎07-20-2003 07:34 PM

Re: /etc/ftpaccess file question

Your best bet is to set the user as being a restricted user with a restricted shell and not utilising anonymous. Changing the ftpaccess file I am fairly sure is not going to make any difference.

e.g.
# useradd -u 2020 -g users -d /home/userx -s /usr/bin/rksh -c "restricted user" -m userx
Anyone for a Mutiny ?
0 Kudos
Reply
twang
Honored Contributor

‎07-20-2003 07:47 PM

‎07-20-2003 07:47 PM

Re: /etc/ftpaccess file question

Steps to create a restricted user with a restricted shell:

1. cp /usr/newconfig/etc/ftpd/ftpaccess
/etc/ftpd/ftpaccess

2. create a group for ftp users called ftpgrp

3. create the new ftp user ftpuser and restrict home to /home/ftpuser

# useradd -m -d /home/ftpuser -s /usr/bin/false -g ftpgrp ftpuser

4. add the /usr/bin/false

5. edit /etc/inetd.conf file:
ftp tcp stream nowait root /usr/lbin/ftpd ftpd -a

6. edit /etc/passwd file:
ftpuser:xxxxxxxxxx:1000:1000::/home/ftpuser/./:/usr/bin/false

7. # inetd -c
0 Kudos
Reply
Ronelle van Niekerk
Regular Advisor

‎07-20-2003 07:58 PM

‎07-20-2003 07:58 PM

Re: /etc/ftpaccess file question

I already know the line to add to ftpaccess to make this work and it WILL work, I have tested it on a test machine.
If you really want to know, this is the line I will be adding:
upload /user/home/dir /dir/to/upload yes username group 037

It works. THe files get uploaded with the umask of 037.

All I want to know is:
Can I keep my inetd.conf ftp line as is:
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -u007 -t7200
and just add a -a option to read the ftpaccess file?

Or must I change the line to:
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -a
and add another line to ftpaccess for all the other users (for whom I would like to have a umask of 007)?

I don't want to tie down ip addresses.
I don't want to ban any users.
rm -r /it/managers
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.