HPE Community
Operating System - HP-UX
1819870 Members
2657 Online
109607 Solutions
New Discussion юеВ

FTP access to /etc

 
SOLVED
Go to solution
Gram Ludlow
Frequent Advisor

тАО01-26-2001 06:47 AM

тАО01-26-2001 06:47 AM

FTP access to /etc

I'm trying to tighten security on a pure HP-UX network with a mix of 10.20 and 11.00 computers. I'm trying to restrict access from user accounts to certain directories, specifically /etc and potentially sensitive directories, through FTP access. We use the default FTP server that comes with HP-UX. Is there a way to set directory permissions for FTP groups and/or users?
Turning and turning in the widening gyre,
0 Kudos
Reply
3 REPLIES 3
Rita C Workman
Honored Contributor

тАО01-26-2001 07:59 AM

тАО01-26-2001 07:59 AM

Re: FTP access to /etc

We found to restrict FTP access on one server (where we set files for folks to get/put) what was done here is for 11.0.We set up the ftpaccess file and basically gave them guest privileges.
In their /etc/passwd home account I locked them in by adding the ./ at end of /home/user123 this keeps them from doing a cd (up) out of their home directory:

user123:uid:gid:..../home/user123/./:/usr/sbin/rksh

Just for extra network security issues...I did a quickie script where I look for any .rhosts; .netrc; etc. files under accounts where they shouldn't be and remove them.

But others may have something you like...this is kind of like an anonymous ftp..except we require login id's and passwords; we don't allow anonymous logins.
Reply
Mark van Silfhout
Trusted Contributor

тАО01-26-2001 08:04 AM

тАО01-26-2001 08:04 AM

Re: FTP access to /etc

you can't specify which directories may be seen or not on a user level. However you can restrict ftp users to their own home directory (which they see as the root volume of the system).
If a real user is a member of any of roupname, the session is set up exactly as with anonymous FTP. In other words, a chroot() is done, and the user is no longer permitted to issue the USER and PASS commands. groupname is a valid group from /etc/group (or whatever mechanism your getgrent() library routine uses).
The user's home directory must be properly set up, exactly as anonymous FTP would be. The home directory field of the passwd entry is divided into two directories. The first field is the root directory which will be the argument to the chroot call.
The second half is the user's home directory relative to the root directory. The two halves are separated by a /./.
see the man page ftpaccess(4).
0 Kudos
Reply
Christopher Caldwell
Honored Contributor

тАО01-26-2001 08:25 AM

тАО01-26-2001 08:25 AM

Solution

Re: FTP access to /etc

The default ftpd on 10.20 is unsophisticated.

ftpd on 11.x is a derivative of wu-ftpd:
http://www.wu-ftpd.org/

HP usually lags a bit behind the wu-ftpd development folks. Nonetheless, the 11.x version (wu-ftpd) uses an ftpaccess file that allows you to class users. Once users are classed, you can apply directives like noretrieve. Here's an excerpt from the man page (man ftpaccess)
noretrieve [absolute|relative|-] ....
Always deny retrieve-ability of these files. If the files are an
absolute path specification (i.e. begins with '/' character) then
only those files are marked un-gettable, otherwise all files with
matching the filename are refused transfer. Example:

noretrieve /etc/passwd core

specifies no one will be able to get the file /etc/passwd whereas
they will be allowed to transfer a file `passwd' if it is not in
/etc. On the other hand no one will be able to get files named
`core' wherever it is.

Absolute path specifications ending with a slash ('/') are taken to
mean all files in the named directory are marked un-gettable.

The may be specified as a file glob, or regular expression.

The optional first parameter selects whether names are intepreted as
absolute or relative to the current chroot'd environment. The default
is to intepret names beginning with a slash as absolute.

As you can see, you can use the noretrieve directive to create your policy to limit access to different areas of the system.

The chroot technique mentioned in a earlier post is also very valuable.

We've replaced ftpd on our 10.20 servers with wu-ftpd.
We feel that the features of wu-ftpd are necessary for optimal security.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.