HPE Community
Operating System - HP-UX
1849262 Members
6037 Online
104042 Solutions
New Discussion

Re: FTP account

 
SOLVED
Go to solution
Rafael Mendonça Braga
Regular Advisor

‎06-20-2005 04:15 AM

‎06-20-2005 04:15 AM

FTP account

Hello guys!!
I'm using HP-UX 11i.

I have a problem with FTP accounts. Let me try to explain:

- I have created and account called "financial";
- I want this account to have access just to one directory, for example "/tmp/xpto"
- The users are using this account through Reflection FTP Client;

This is the problem. When they use the Reflection FTP Client from a Windows station, they can have acces to other directories and I don't wanna this... They can go to "/tmp" , "/" , "/tmp/xpto/abc" and it's not expected. They can do this just clicking one button (Up one Level/Down One Leve).

Do you know how can I create an account that restricts the users to one directory only?!

Thanks a lot,

Rafael M. Braga
0 Kudos
Reply
15 REPLIES 15
Steven E. Protter
Exalted Contributor

‎06-20-2005 04:22 AM

‎06-20-2005 04:22 AM

Re: FTP account

The shell of the account in /etc/passwd should be /usr/bin/false

You are trying to set up chroot. The entry in the ftpaccess file must be wrong. Please post that entry.

If you change the ftpaccess file you will need to restart the inetd daemon for it to have effect.

Also note the Washington U ftpd server delivered with 11.11 is broken and requires a patch from http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=WUFTPD26

Security patches may need to be added after that.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Rick Garland
Honored Contributor

‎06-20-2005 04:23 AM

‎06-20-2005 04:23 AM

Re: FTP account

Some docs to look at;

use ftpaccess:

http://docs.hp.com/en/B2355-90685/ch02s07.html?btnPrev=%AB%A0prev

http://docs.hp.com/en/B2355-90685/ch02s08.html?btnNext=next%A0%BB

and to restrict user to their home directory:

http://www1.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000062903488

Also have an html document attached. Came from an HP site, I cannot remember which one.
Reply
Rafael Mendonça Braga
Regular Advisor

‎06-20-2005 05:23 AM

‎06-20-2005 05:23 AM

Re: FTP account

There were lots of thing we didn't use here...

The ftpacces file for example.

Now I'm trying to create it from the begining...

I'm following the posted links's instructions!!!

Thanks,

Rafael M. Braga
0 Kudos
Reply
Rafael Mendonça Braga
Regular Advisor

‎06-20-2005 06:46 AM

‎06-20-2005 06:46 AM

Re: FTP account

Hello Guys... Could you Help to create a ftpacces file?

I have created a group for ftp under "/etc/group"

root@draco$ cat /etc/group |grep ftp
ftp::104:

After that I have put this line at the passwd file:

root@draco$ cat /etc/passwd |grep teste
teste:*:120:104:FTP Restricted Account,,,:/home/teste/./:/usr/bin/false

So, I assigned the user "teste" to the ftp group and restricted it to his own directory all right?!

How can I configure it at the "/etc/ftpd/ftpacces" file ?

I have put the "-a" option at the "inetd.conf" ...

What should I do now in the ftpacces file in order to restrict the user to his "home" directory only?

Thanks,

Rafael M. Braga
0 Kudos
Reply
Rick Garland
Honored Contributor

‎06-20-2005 06:58 AM

‎06-20-2005 06:58 AM

Re: FTP account

Did you create the directory structure under the /home/teste?

0 Kudos
Reply
Rafael Mendonça Braga
Regular Advisor

‎06-20-2005 07:18 AM

‎06-20-2005 07:18 AM

Re: FTP account

Yes I did!
0 Kudos
Reply
john korterman
Honored Contributor

‎06-20-2005 07:19 AM

‎06-20-2005 07:19 AM

Solution

Re: FTP account

Hi,
you need at least to define in the ftpaccess file that the group to which the user belongs should be considered a so-called guestgroup. That is to be done in a config line, which is often placed near the bottom, e.g.:
guestgroup ftp

I personally name the guestgroups other than ftp, but perhaps it is ok to do this.

You need to restart inetd in order for changes made in the ftpaccess file to take effect.

A simple test to check whether or not the ftpacces configuration is in effect is by establishing a ftp session: if you see the message: "Access restrictions apply", the definitions are in effect.

You also need a line in ftpaccess for defining that real users should be able to establish ftp, but I think that is part of the standard configuration - try the above first.

regards,
John K.
it would be nice if you always got a second chance
Reply
Rafael Mendonça Braga
Regular Advisor

‎06-21-2005 06:10 AM

‎06-21-2005 06:10 AM

Re: FTP account

Hello People!!!

One more doubt now!!! Reopening the Thread!!

My doubt is:

I have a group called "ftp"

Inside this group I have lots of accounts that will perform FTP sessions...

For example: The account "financial" and the account "production".

I want the financial account to have the right of e files and deny it to production account.

If they are part of the same group, how can I set it?

Look at my ftpaccess file:

-------------------------------------------------------------------

# @(#)B.11.11_LR
#
loginfails 2

class local real,guest,anonymous *.domain 0.0.0.0
class remote real,guest,anonymous *

limit local 20 Any /etc/msgs/msg.toomany
limit remote 100 SaSu|Any1800-0600 /etc/msgs/msg.toomany
limit remote 60 Any /etc/msgs/msg.toomany

readme README* login
readme README* cwd=*

message /welcome.msg login
message .message cwd=*

compress yes local remote
tar yes local remote

# allow use of private file for SITE GROUP and SITE GPASS?
private yes

# passwd-check []
passwd-check rfc822 warn

log commands real
log transfers anonymous,real inbound,outbound
shutdown /etc/shutmsg
:q
root@draco$ inetd -c
root@draco$ clear

root@draco$ cat ftpaccess
# @(#)B.11.11_LR
#
loginfails 2

class local real,guest,anonymous *.domain 0.0.0.0
class remote real,guest,anonymous *

limit local 20 Any /etc/msgs/msg.toomany
limit remote 100 SaSu|Any1800-0600 /etc/msgs/msg.toomany
limit remote 60 Any /etc/msgs/msg.toomany

readme README* login
readme README* cwd=*

message /welcome.msg login
message .message cwd=*

compress yes local remote
tar yes local remote

# allow use of private file for SITE GROUP and SITE GPASS?
private yes

# passwd-check []
passwd-check rfc822 warn

log commands real
log transfers anonymous,real inbound,outbound
shutdown /etc/shutmsg

# all the following default to "yes" for everybody
delete no guest,anonymous # delete permission?
overwrite no guest,anonymous # overwrite permission?
rename no anonymous # rename permission?
chmod no anonymous # chmod permission?
umask no anonymous # umask permission?

# specify the upload directory information
upload /var/ftp * no
upload /var/ftp /incoming yes root daemon 0600 dirs
upload /var/ftp /bin no
upload /var/ftp /etc no

# directory aliases
alias inc /incoming

# cdpath
cdpath /incoming
cdpath /pub
cdpath /

# path-filter...
path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-

# specify which group of users will be treated as "guests".
guestgroup ftp

----------------------------------------------------------

If I put yes to "overwrite" permission, both accounts will perform it...

Do you know what I mean!?

Waiting for your help!!!

Thanks,

Rafael M. Braga
0 Kudos
Reply
Borislav Perkov
Respected Contributor

‎06-21-2005 08:50 PM

‎06-21-2005 08:50 PM

Re: FTP account

Hi,
Try to look in
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=893720
Maybe it will help you to find solution.
Regards,
Borislav
0 Kudos
Reply
Rafael Mendonça Braga
Regular Advisor

‎06-22-2005 12:38 AM

‎06-22-2005 12:38 AM

Re: FTP account

Thanks for the reply, but I think it will not help me !!!

I don't know if I explained it very well. Let me try again:

I have created an group called "ftp" (instead of ftponly).

Inside this group, I have 2 users:
-financial
-production

They have the same home:
/home/ftp_test/./

So I set the guestgroup line at my ftpaccess file this way:

# specify which group of users will be treated as "guests".
guestgroup ftp

So, both accounts will be treated as "guests" and both will see the "/home/ftp_test" as "/" ok?

Now, I want that financial could delete and overwrite files too, so I removed the "guest" from the "deny" on delete and overwrite:

delete no anonymous # delete permission?
overwrite no anonymous # overwrite permission?
rename no anonymous # rename permission?
chmod no anonymous # chmod permission?
umask no anonymous # umask permission?

Now, only the anonymous sessions can do nothing more than "put" and "get" files ok?

Here is the problem:
If financial and production accounts belong to "ftp" group, and this group is treated as "guest" and the "guests" can delete and overwrite, how can I set a rule to deny these permissions only to the "prodction" account and allow it to "financial" account?

Any tips?!

Thanks,

Rafael M. Braga
0 Kudos
Reply
Borislav Perkov
Respected Contributor

‎06-22-2005 12:49 AM

‎06-22-2005 12:49 AM

Re: FTP account

Hi,
Who owns the home directory
/home/ftp_test/./
and what is the access rights on it for both users.
Regards
0 Kudos
Reply
Rafael Mendonça Braga
Regular Advisor

‎06-22-2005 01:12 AM

‎06-22-2005 01:12 AM

Re: FTP account

Hello Borislav,

This are the rights:

# pwd
/home
# ll -d ftp_test
drwxrwxr-x 3 ftp_fin ftp 96 Jun 22 10:08 ftp_test


Thanks,

Rafael M. Braga
0 Kudos
Reply
Rafael Mendonça Braga
Regular Advisor

‎06-22-2005 01:15 AM

‎06-22-2005 01:15 AM

Re: FTP account

Sorry !! I forgot one little thing!!

ftp_fin = financial account
ftp_prd = production account!!!

Sorry!!

Thanks,

Rafael M. Braga
0 Kudos
Reply
john korterman
Honored Contributor

‎06-22-2005 01:32 AM

‎06-22-2005 01:32 AM

Re: FTP account

Hi again,

This is just a suggestion:

Put the users "financial" and "production" in a group of their own and configure this group as a guestgroup in ftpaccess in order to separate them from anonymous ftp.

Then define these home dirs this in /etc/passwd:
for user "financial":
/home/money/./financial

and for user "production":
/home/money/./production

Create the directories under /home/money
Let user "financial" own the financial directory and let user "production" own the production directory.
Remove access rights for group and others from the production directory.
Both users should now get the same starting point: "financial" can cd to only the "financial" directory, whereas "production" should be able to cd to both directories.

Maybe that is not quite what you want, but perhaps an inspiration!

regards,
John K.
it would be nice if you always got a second chance
0 Kudos
Reply
Borislav Perkov
Respected Contributor

‎06-22-2005 01:32 AM

‎06-22-2005 01:32 AM

Re: FTP account

You can try puting upload
upload /home/ * no
upload /home /ftp_test yes ftp_fin ftp 0700
or
upload /home/ftp_test * no
upload /home/ftp_test /incoming yes ftp_fin ftp 0700
and appropriet change in /etc/passwd for home directory of both to /home/ftp_test/./incoming.
The purpose of this is all the files that are upload will have owner ftp_fin with 700 rights on it.
Regards,
Borislav
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.