Operating System - HP-UX
1834498 Members
2617 Online
110067 Solutions
New Discussion

ftp access directory restriction on 10.20

 
Robert Hoey
Advisor

ftp access directory restriction on 10.20

Good morning all.

I need to create two users that can ftp into the system (10.20) and only see one directory. I don't want them to be able to move around in the system at all. They only need to see if their files are in the one directory that they have access to.

I've read a lot on restricted shell, but I've also seen some info on ftpaccess. In 10.20, what is the best way to do this?

Thanks in advance.
-Rob
5 REPLIES 5
Marcel Boon
Trusted Contributor

Re: ftp access directory restriction on 10.20

Hi,

To configure FTP look at:
http://docs.hp.com/hpux/onlinedocs/B2355-90685/B2355-90685.html

regards,

MB
See the man pages
Rita C Workman
Honored Contributor

Re: ftp access directory restriction on 10.20

Take a look at this thread...it provides a couple things you can do.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,1150,0xd5ab53921f1ad5118fef0090279cd0f9,00.html

Regards,
Rita
LB4
Valued Contributor

Re: ftp access directory restriction on 10.20

You need to set up the user to chroot.

Here is the info you needed in order to create a "guest login".

How to setup Guest accounts

There are three kinds of logins provided WU-FT:
* anonymous FTP
* real FTP
* guest FTP

Guest accounts require explicit user entries in the system /etc/passwd
file but performs a chroot to a designated directory, thus maintaining
security and integrity.

Steps to be followed:

1. Make the edits to the /etc/passwd file by adding users:

ftpguest:4rL2HZkDatENY:505:125::/home/ftp/ftpguest/./:/usr/bin/false

'.' is the delimiter to determine where the chroot will be performed. In
this example, after logging in '/' will in effect be /home/ftp/ftpguest.
If the delimiter was placed between ftp and ftpguest then '/' would be
/home/ftp ftpguest was used as the account name in this example but you
could use any name you like.

2. /usr/bin/false will have to be added to the /etc/shells file.
See man(4) shells for further details

3. Make the edits to the /etc/group file

ftpgroup::125:ftpguest

- Create and set the permissions and ownership for the directory
(/home/ftp/ftpguest) to what suits you best.

4. Add an entry into the ftpaccess file. This file will most probably have
to
be copied from the /usr/newconfig/etc/ftpd/ftpaccess to /etc/ftpd/ftpaccess.

Add a guestgroup entry (in the /etc/ftpd/ftpaccess file) to allow a group
of users to be treated as 'guests'. This entry will correspond to the entry
in the /etc/group file. Here is a sample of the ftpaccess file to use guest
groups.

# specify which group of users will be treated as "guests".
guestgroup ftpgroup

5. Edit the /etc/inetd.conf file and add the '-a' option to enable ftpd to
use the ftpaccess file. Here is an example;

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -a

You will need to reconfigure inetd by running /usr/sbin/inetd -c to
reread the /etc/inetd.conf file after making the change.

6. Since this is similar to anonymous FTP in the respect that you are in a
chrooted area (the path to / is different than on your system) you will
also have to replicate the /usr/bin and /etc directories. The easiest way
to do this is to use SAM to create an anonymous FTP setup and then replicate
the /etc & /usr/bin directories into your ftp guest root directory. Here
is an example of how you would replicate the ~ftp/usr and ~ftp/etc directory
to your new ftp guest directory. We use the ftpguest user in this example.

cp -R ~ftp/usr ~ftpguest/usr
cp -R ~ftp/etc ~ftpguest/etc

At this point you should have the files and programs needed for your
ftpguest user.

** This is dependent upon where the '.' delimiter has been positioned. If
the delimiter is positioned prior to the ftp username then only the root
directory (/home/ftp) needs to contain a /usr & /etc directory structure.
If the delimiter is placed post the username then each individual user
will require this directory structure.

** NOTE: When providing the 'ls' command, use /sbin/ls, not /usr/bin/ls.

7. Another thing I noticed is that you must touch the file
/etc/ftpd/ftpgroups.
If you do not, you will see messages in syslog.log indicating that ftpd
could
not stat this file.
Shannon Petry
Honored Contributor

Re: ftp access directory restriction on 10.20

In order to do this, you need an ftp server that can chroot. To do this, you will need wu-ftpd available in hp-ux 11x, and from the hp porting center for 10.20.

If you need help on configuring wu_ftpd, see my doc at "http://www.invenioeng.com/systems/ftpd_faq.html"

Regards,
Shannon
Microsoft. When do you want a virus today?
Robert Hoey
Advisor

Re: ftp access directory restriction on 10.20

Where can I get wu-ftpd (www.wu-ftpd.org or the porting center for HP-UX 10.20????)?

And does anyone know where HP-UX 10.20 wu-ftpd installation instructions can be found?

Thanks.