HPE Community
Operating System - HP-UX
1834926 Members
2466 Online
110071 Solutions
New Discussion

FTP access only

 
SOLVED
Go to solution
patrick coutinho
Frequent Advisor

‎05-10-2004 12:30 AM

‎05-10-2004 12:30 AM

FTP access only

Hi,

A query, if a user has ftp access only (no telnet access) , he can still ftp a .profile file of his own creation to his own directory and then get FULL privileges. That's true is it not ? Any ideas on how to address this security issue.

Thanks & Rgds

Pat
0 Kudos
Reply
10 REPLIES 10
Joseph Loo
Honored Contributor

‎05-10-2004 12:43 AM - last edited on ‎09-16-2024 02:19 AM by

‎05-10-2004 12:43 AM - last edited on ‎09-16-2024 02:19 AM by

Re: FTP access only

hi,

that is possible only if you allow him to ftp it to his/her home directory as well as more than read permission for the .profile file.

however, since telnet is not available by causing an exit everytime the user try to telnet, i am unsure how he/she is able to get FULL prvileges.

regards.
what you do not see does not mean you should not believe
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎05-10-2004 01:03 AM

‎05-10-2004 01:03 AM

Re: FTP access only

Privileges arn't controlled by .profile - no matter what they put in it, they can't change their shell from /etc/passwd....


Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Mark Grant
Honored Contributor

‎05-10-2004 01:05 AM

‎05-10-2004 01:05 AM

Re: FTP access only

Even if there were something in the .profile, for example and environment variable or something that controlled access to some software somewhere, they still wouldn't be able to overwrite their own .profile IF you remove write access from it.

A user does not need write access to their .profile
Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎05-10-2004 04:08 AM

‎05-10-2004 04:08 AM

Solution

Re: FTP access only

Depends how you're denying telnet access. If you're doing it correctly and have their shell set to /usr/bin/false, then them overwriting their .profile is irrelevant as Geoff alluded.

However, the comments about making sure .profile is read only or not owned by the user to disallow overwriting it anyway isn't quite accurate, I think. Wouldn't this be the same as users being able to overwrite their .profile in a telnet session? This is controlled by the home directory permissions, not the .profile permissions, right? Unless you want to block people from uploading files to their home directories on the server entirely by doing that, I don't think you can protect the .profile that way.
--
Jeff Traigle
Reply
Rodney Hills
Honored Contributor

‎05-10-2004 04:14 AM

‎05-10-2004 04:14 AM

Re: FTP access only

If a user only needs ftp access, then set their shell to "/usr/bin/false" in /etc/passwd.

ftp will still work, but they won't be able to login via telnet.

HTH

-- Rod Hills
There be dragons...
0 Kudos
Reply
patrick coutinho
Frequent Advisor

‎05-10-2004 05:31 PM

‎05-10-2004 05:31 PM

Re: FTP access only

Thanks everyone for those thoughts. Very valuable to me. This forum is really super.

Rgds

Pat
0 Kudos
Reply
generic_1
Respected Contributor

‎05-10-2004 06:02 PM

‎05-10-2004 06:02 PM

Re: FTP access only

If possible in your evnrironment, I would suggest turning off ftp and telnet and implementing scp/ssh :). This way unencrypted passwords are not going accross your network. Just my two cents. Also does not hurt to define the ftpaccess file when using ftp.
Reply
patrick coutinho
Frequent Advisor

‎05-10-2004 06:38 PM

‎05-10-2004 06:38 PM

Re: FTP access only

Thanks Jeff
0 Kudos
Reply
Joseph Loo
Honored Contributor

‎05-10-2004 07:30 PM

‎05-10-2004 07:30 PM

Re: FTP access only

hi patrick,

any reason why jeff gets the points and we get none???

regards.
what you do not see does not mean you should not believe
0 Kudos
Reply
patrick coutinho
Frequent Advisor

‎05-10-2004 07:48 PM

‎05-10-2004 07:48 PM

Re: FTP access only

I am sorry guys. did not mean to offend anyone. I thought i had already assigned points to everyone before the last reply. My mistake. must be something with browser. My apologies. Points assigned.

Many thanks once again to everyone.

Rgds

Pat
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.