HPE Community
Operating System - HP-UX
1835193 Members
2373 Online
110077 Solutions
New Discussion

ftp access w/o shell access

 
Chris Little_1
Occasional Contributor

‎07-17-2001 07:41 AM

‎07-17-2001 07:41 AM

ftp access w/o shell access

we are running 11.0 and want to set up an account with ftp only access. Is this possible?
0 Kudos
Reply
9 REPLIES 9
A. Clay Stephenson
Acclaimed Contributor

‎07-17-2001 07:51 AM

‎07-17-2001 07:51 AM

Re: ftp access w/o shell access

Hi Chris,

If I understand your question, you are trying to set up anonymous ftp. Man ftpd and it takes you through all the steps required.
If it ain't broke, I can fix that.
0 Kudos
Reply
Chris Little_1
Occasional Contributor

‎07-17-2001 07:53 AM

‎07-17-2001 07:53 AM

Re: ftp access w/o shell access

no it's for a particular user who doesn't need shell access.
0 Kudos
Reply
MANOJ SRIVASTAVA
Honored Contributor

‎07-17-2001 07:55 AM

‎07-17-2001 07:55 AM

Re: ftp access w/o shell access

Hi Chris


Setup a normal user with ftp access , and in the .profile of the user please enter exit in the end so that whenever he makes a normal login he will never be able to get in the system . Where as he can just do ftp.

Manoj Srivastava
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎07-17-2001 08:09 AM

‎07-17-2001 08:09 AM

Re: ftp access w/o shell access

Hi again,

I understand now and Manoj is close but one problem is that the user can issue '!' command within ftp to get to a shell. You need to do something like this within your user's .profile
or have your .profile (if setting up for more than 1 user) call a script which does this:

SHELL=/usr/bin/false
export SHELL
ftp
exit 0

You also need to make the .profile owned by root and not writable by this user so that he can't change the .profile. This too isn't quite foolproof because You probably would like the user to be have write permission in his home directory for creating files. This would allow him to remove or replace his .profile. If he is not allowed write access in the home directory then you should be secure enough.

Regards, Clay
If it ain't broke, I can fix that.
0 Kudos
Reply
Haitham Hamad
Regular Advisor

‎07-17-2001 08:10 AM

‎07-17-2001 08:10 AM

Re: ftp access w/o shell access

You can do the following
1) vi /usr/bin/ftpshell
type exit 0
save file
2) modify the user's shell to be /usr/bin/ftpshell
You can use usermod command or SAM
3) edit /etc/shells files and make sure it contains all shells that are used includes /usr/bin/ftpshell
4) Create a group ftponly or any other name
5) make the user a member of that group
6) edit /etc/ftpd/ftpaccess and check the group is specifed on the guestgroup line
7) Edit /etc/inetd.conf and modify ftp to look like this
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -a -l

Test the access

Hope this helps
Haitham
0 Kudos
Reply
Deshpande Prashant
Honored Contributor

‎07-17-2001 08:12 AM

‎07-17-2001 08:12 AM

Re: ftp access w/o shell access

HI
On my system I have set a ftp user id with restricted shell "/usr/bin/rsh". This gives user login shell with restricted access.
If you don't want ftp user to get login shell use Manoj's suggestion of putting "exit" at end of .profile of that user.

Thanks.
Prashant.
Take it as it comes.
0 Kudos
Reply
MANOJ SRIVASTAVA
Honored Contributor

‎07-17-2001 08:15 AM

‎07-17-2001 08:15 AM

Re: ftp access w/o shell access

Hi Chris

I again agree with Clay but you can always define rsh as the default shell , this would just restrict him to his home directory even in case he want to run ! in ftp session. Also this with exit in .profile should do the magic.


Manoj Srivastava
0 Kudos
Reply
Joseph Chakkery
Valued Contributor

‎07-17-2001 08:20 AM

‎07-17-2001 08:20 AM

Re: ftp access w/o shell access

Hello,

I think creation of normal user and put exit as the last line of the .profile file of that user will solve ur problem.

Regards
Joe.
Knowledge is wealth
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎07-17-2001 08:32 AM

‎07-17-2001 08:32 AM

Re: ftp access w/o shell access

Why not just set the users shell in the password file to /usr/bin/false, make sure that /usr/bin/false is in /etc/shells and go from there. That way the user can ftp to the machine, but they have no real shell so they have no shell access.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.