Operating System - HP-UX
1834101 Members
2869 Online
110063 Solutions
New Discussion

FTP only access for new user

 
Eric Sauve
Occasional Advisor

FTP only access for new user

I want to create a new user which will only be able to connect via ftp (no telnet access) to a very specific directory in which this user will have all permissions (upload, download, delete, rename). I already fiddled with the ftpaccess file to try to make this work without much success. Any help would be appreciated. Thanks.
6 REPLIES 6
Shannon Petry
Honored Contributor

Re: FTP only access for new user

Use the search options to the left, you will get more info than you could imagine. This issue has been solved by hundreds of people thousands of times, and used by thousands of others ;)

Regards,
SHannon

Microsoft. When do you want a virus today?
John Payne_2
Honored Contributor

Re: FTP only access for new user

ftpaccess works to place the user in his home directory, that being the only place he/she can upload, download, delete, etc.

As long as you have the -a option for ftp in inetd.conf, and the user has the primary group of the group in ftpaccess, and the user has a fake shell listed in /etc/shells, ftpaccess 'should' work.

I am not sure of another way to do this in the restrictions you want. Giving them a shell like /usr/bin/false will keep them out via telnet, but will not keep them from traversing around. (Unless you make their home directory something with fairly restrictive permissions above it...)

i.e. Have their home directory be /data/ftp/bob,
but the permissions on /data/ftp are such that they can't get into it. That may not prevent them from doing a 'cd /', however, and it would be a fairly manual process.

Maybe we could help you with ftpaccess?

Hope it helps

John
Spoon!!!!
John Poff
Honored Contributor

Re: FTP only access for new user

Hi,

What errors are you getting when you try out the account? As John mentioned, post your ftpaccess file and we'll take a shot at it.

JP
Paul Sperry
Honored Contributor

Re: FTP only access for new user

Configure ftpd daemon security

First, you must configure the ftpd daemon to use additional security. Copy the standard ftpaccess security file into the /etc/ftpd directory:

# cp -p /usr/newconfig/etc/ftpd/ftpaccess /etc/ftpd/ftpaccess

Edit /etc/inetd.conf to force the ftpd daemon to read the ftpaccess file at startup. Add the -a option to the ftpd argument list. As a further security measure, you can set the default umask which the ftp daemon uses to create files. Add a -u flag if you want this:

# vi /etc/inetd.conf
:
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -a -l -u 022
:

Reload the ftp configuration:

# inetd -c



Create the ftp-only user

The ftpaccess file depends on a group called ftponly to work. Add this group to /etc/group first. I still want oracle to use ftp so add this and any other users to the group too.

# vi /etc/group
ftponly::200:oracle

To create the ftp-only user, you need to do a couple of unusual things to the entry in /etc/passwd. First, to login to a UNIX system via telnet, the user must have a shell. Putting /sbin/false in the shell field will prevent access by telnet - if you don't have a shell, then you can't login. Next, it is a good idea to prevent the ftp user from navigating round the unix file system. You can force UNIX to do an implicit chroot when you connect to ftp by appending /./ to the user's home directory field. So the /etc/passwd file entry for your ftp user will look like this:

ftpuser::1001:200:ftp user:/stagepost/sp1/inbox/CRA/man/./:/sbin/false

There is one additional step required to allow ftpuser to login. Add the phoney shell /sbin/false to the /etc/shells file:

# echo /sbin/false >> /etc/shells

Now test that the user has ftp only access by attempting a telnet and connecting through ftp.

Rizwan Mohammed
Frequent Advisor

Re: FTP only access for new user

hi

Create ftp user having shell as /bin/false ,so he will not be able to login through telnet , for the ftp home directory use a public folder for the same

Rizwan
Know ?Urself before judging others
Yogeeraj_1
Honored Contributor

Re: FTP only access for new user

hi eric,

see my post in the URL below:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xc736b941255cd71190080090279cd0f9,00.html


tons of info. I am sure you will be able to fix that problem of yours!

cheers
Yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)