HPE Community
Operating System - HP-UX
1834101 Members
2869 Online
110063 Solutions
New Discussion

FTP only access for new user

 
Eric Sauve
Occasional Advisor

‎04-23-2003 06:42 AM

‎04-23-2003 06:42 AM

FTP only access for new user

I want to create a new user which will only be able to connect via ftp (no telnet access) to a very specific directory in which this user will have all permissions (upload, download, delete, rename). I already fiddled with the ftpaccess file to try to make this work without much success. Any help would be appreciated. Thanks.
0 Kudos
Reply
6 REPLIES 6
Shannon Petry
Honored Contributor

‎04-23-2003 06:49 AM

‎04-23-2003 06:49 AM

Re: FTP only access for new user

Use the search options to the left, you will get more info than you could imagine. This issue has been solved by hundreds of people thousands of times, and used by thousands of others ;)

Regards,
SHannon

Microsoft. When do you want a virus today?
0 Kudos
Reply
John Payne_2
Honored Contributor

‎04-23-2003 06:55 AM

‎04-23-2003 06:55 AM

Re: FTP only access for new user

ftpaccess works to place the user in his home directory, that being the only place he/she can upload, download, delete, etc.

As long as you have the -a option for ftp in inetd.conf, and the user has the primary group of the group in ftpaccess, and the user has a fake shell listed in /etc/shells, ftpaccess 'should' work.

I am not sure of another way to do this in the restrictions you want. Giving them a shell like /usr/bin/false will keep them out via telnet, but will not keep them from traversing around. (Unless you make their home directory something with fairly restrictive permissions above it...)

i.e. Have their home directory be /data/ftp/bob,
but the permissions on /data/ftp are such that they can't get into it. That may not prevent them from doing a 'cd /', however, and it would be a fairly manual process.

Maybe we could help you with ftpaccess?

Hope it helps

John
Spoon!!!!
0 Kudos
Reply
John Poff
Honored Contributor

‎04-23-2003 07:01 AM

‎04-23-2003 07:01 AM

Re: FTP only access for new user

Hi,

What errors are you getting when you try out the account? As John mentioned, post your ftpaccess file and we'll take a shot at it.

JP
0 Kudos
Reply
Paul Sperry
Honored Contributor

‎04-23-2003 07:22 AM

‎04-23-2003 07:22 AM

Re: FTP only access for new user

Configure ftpd daemon security

First, you must configure the ftpd daemon to use additional security. Copy the standard ftpaccess security file into the /etc/ftpd directory:

# cp -p /usr/newconfig/etc/ftpd/ftpaccess /etc/ftpd/ftpaccess

Edit /etc/inetd.conf to force the ftpd daemon to read the ftpaccess file at startup. Add the -a option to the ftpd argument list. As a further security measure, you can set the default umask which the ftp daemon uses to create files. Add a -u flag if you want this:

# vi /etc/inetd.conf
:
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -a -l -u 022
:

Reload the ftp configuration:

# inetd -c



Create the ftp-only user

The ftpaccess file depends on a group called ftponly to work. Add this group to /etc/group first. I still want oracle to use ftp so add this and any other users to the group too.

# vi /etc/group
ftponly::200:oracle

To create the ftp-only user, you need to do a couple of unusual things to the entry in /etc/passwd. First, to login to a UNIX system via telnet, the user must have a shell. Putting /sbin/false in the shell field will prevent access by telnet - if you don't have a shell, then you can't login. Next, it is a good idea to prevent the ftp user from navigating round the unix file system. You can force UNIX to do an implicit chroot when you connect to ftp by appending /./ to the user's home directory field. So the /etc/passwd file entry for your ftp user will look like this:

ftpuser::1001:200:ftp user:/stagepost/sp1/inbox/CRA/man/./:/sbin/false

There is one additional step required to allow ftpuser to login. Add the phoney shell /sbin/false to the /etc/shells file:

# echo /sbin/false >> /etc/shells

Now test that the user has ftp only access by attempting a telnet and connecting through ftp.

0 Kudos
Reply
Rizwan Mohammed
Frequent Advisor

‎04-23-2003 09:33 AM

‎04-23-2003 09:33 AM

Re: FTP only access for new user

hi

Create ftp user having shell as /bin/false ,so he will not be able to login through telnet , for the ftp home directory use a public folder for the same

Rizwan
Know ?Urself before judging others
0 Kudos
Reply
Yogeeraj_1
Honored Contributor

‎04-23-2003 10:11 AM

‎04-23-2003 10:11 AM

Re: FTP only access for new user

hi eric,

see my post in the URL below:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xc736b941255cd71190080090279cd0f9,00.html


tons of info. I am sure you will be able to fix that problem of yours!

cheers
Yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.