1830899 Members
3408 Online
110017 Solutions
New Discussion

ftp in restricted shell?

 
Bernard Lee
Occasional Contributor

ftp in restricted shell?

Hi,
How do i set up a user to perform ftp only, the user must can onlu stay in it's own home directory.

Thanks
5 REPLIES 5
harry d brown jr
Honored Contributor

Re: ftp in restricted shell?


INCOMING or OUTGOING?

INCOMING, you can use chroot.

OUTGOING, well not much there.

live free or die
harry
Live Free or Die
Niraj Kumar Verma
Trusted Contributor

Re: ftp in restricted shell?

Hey !!

By using the restricted shell
you can achive this

use /user/bin/rsh

make sure that you put this entry in /etc/shells

-Niraj
Niraj.Verma@philips.com
Bernard Lee
Occasional Contributor

Re: ftp in restricted shell?

How can I restric certian users to one directory though ftp in 10.20
Deepak Extross
Honored Contributor

Re: ftp in restricted shell?

To restrict the user to his directory and subdirectories:
Set the user's shell to 'rsh', the restrited shell. You can set this in the /etc/passwd file.

To allow ONLY ftp:
In the user's startup file ($HOME/.profile), add the following line
exec ftp
When the user logs in he will be taken straight to the ftp prompt. On exiting ftp, he will be automatically logged off.
S.K. Chan
Honored Contributor

Re: ftp in restricted shell?

Say you want to setup user "ftpguest" to only do ftp. The recipe as follows ..
(I got this from my own notes, can't remembet the source but it's good !)

1) Make the edits to the /etc/passwd file

ftpguest:4rL2HZkDatENY:505:125::/home/ftp/ftpguest/./:/usr/bin/false

The '.' is the delimiter to determine where the chroot will be performed. In this example, after logging in '/' will in effect be /home/ftp/ftpguest. If the delimiter was placed between ftp and ftpguest then '/' would be /home/ftp
The ftpguest was used as the account name in this example but you could use any name you like.

2) /usr/bin/false will have to be added to the /etc/shells file.

3) Make the edits to the /etc/group file

ftpgroup::125:ftpguest

Create and set the permissions and ownership for the directory /home/ftp/ftpguest to what suits you best.

4) Add an entry into the ftpaccess file. This file will most probably have to be copied from the /usr/newconfig/etc/ftpd/ftpaccess to /etc/ftpd/ftpaccess.

Add a guestgroup entry (in /etc/ftpd/ftpaccess file) to allow a group of users to be treated as 'guests'. This entry will correspond to the entry in the /etc/group file. Here is a sample of the ftpaccess file to use guest
groups.

# specify which group of users will be treated as "guests".
guestgroup ftpgroup

5) Edit the /etc/inetd.conf file and add the '-a' option to enable ftpd to use the ftpaccess file. Here is an example;

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -a

You will need to reconfigure inetd by running /usr/sbin/inetd -c to reread the /etc/inetd.conf file after making the change.

6) Since this is similar to anonymous FTP in the respect that you are in a chrooted area (the path to / is different than on your system) you will also have to replicate the /usr/bin and /etc directories. The easiest way to do this is to use SAM to create an anonymous FTP setup and then replicate the /etc & /usr/bin directories into your ftp guest root directory. Here is an example of how you would replicate the ~ftp/usr and ~ftp/etc directory to your new ftp guest directory. Use the ftpguest user in this example.

# cp -R ~ftp/usr ~ftpguest/usr
# cp -R ~ftp/etc ~ftpguest/etc

At this point you should have the files and programs needed for your ftpguest user.

** This is dependent upon where the '.' delimiter has been positioned. If the delimiter is positioned prior to the ftp username then only the root directory (/home/ftp) needs to contain a /usr & /etc directory structure. If the delimiter is placed post the username then each individual user will require this directory structure.

** When providing the 'ls' command, use /sbin/ls, not /usr/bin/ls.

7) Another thing .. you must touch the file /etc/ftpd/ftpgroups. If you do not, you will see messages in syslog.log indicating that ftpd could not stat this file.