HPE Community
Operating System - HP-UX
1820477 Members
3012 Online
109624 Solutions
New Discussion юеВ

FTP restricted accounts and FTP Error Filename Accept (553)

 
Antonio Cardoso_1
Trusted Contributor

тАО03-10-2006 01:02 AM

тАО03-10-2006 01:02 AM

FTP restricted accounts and FTP Error Filename Accept (553)

Hi all,
I'm facing a problem with restricted account on HP-UX ftp server with restricted accounts: some characters (#~%...) are refused by put command with result for example:
"553 /var/tmp/dummy#1: Permission denied. (Filename (accept))"

My question is : is there a way to configure ftp server to bypass this restriction?

This is also mentioned in thread http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=893725

thanks.
0 Kudos
Reply
7 REPLIES 7
Mark Greene_1
Honored Contributor

тАО03-10-2006 01:27 AM

тАО03-10-2006 01:27 AM

Re: FTP restricted accounts and FTP Error Filename Accept (553)

Are you tying to put to an HP server or put from an HP server to some other sort of box?

I was able to touch a file with a "#" in the name, ftp from my HP sever back to the same server and put the file to /tmp:

230 User mgreene logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /tmp
250 CWD command successful.
ftp> put ./dummy#1
200 PORT command successful.
150 Opening BINARY mode data connection for ./dummy#1.
226 Transfer complete.
ftp> bye
221 Goodbye.

h1262n2:(mgreene):(/home/mgreene)[245]
# ls -l /tmp/dummy#1
-rw-r----- 1 mgreene general 0 Mar 10 09:24 /tmp/dummy#1

To be thorough about it, I also try the transfer in ascii and that worked too.

mark
the future will be a lot like now, only later
0 Kudos
Reply
Antonio Cardoso_1
Trusted Contributor

тАО03-10-2006 01:35 AM

тАО03-10-2006 01:35 AM

Re: FTP restricted accounts and FTP Error Filename Accept (553)

Mark,
from your answer, I think you are using a non-restricted account, (if not you would get a welcome message such as "230 User xmcftp logged in. Access restrictions apply.")

I'm trying to put to a restricted (chrooted) account on hp-ux ftp server, and get
230 User xmcftp logged in. Access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bin
200 Type set to I.
ftp> put /var/tmp/toto%titi
200 PORT command successful.
553 /var/tmp/dummy#1: Permission denied. (Filename (accept))

0 Kudos
Reply
Antonio Cardoso_1
Trusted Contributor

тАО03-12-2006 08:16 PM

тАО03-12-2006 08:16 PM

Re: FTP restricted accounts and FTP Error Filename Accept (553)

The problem was due to path-filter configuration in /etc/ftpd/ftpaccess:
path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-

After commenting this line, the transfer is accepted.
Now my second question is: what was the purpose of this configuration: any security hole?
0 Kudos
Reply
Muthukumar_5
Honored Contributor

тАО03-12-2006 08:31 PM

тАО03-12-2006 08:31 PM

Re: FTP restricted accounts and FTP Error Filename Accept (553)

See man ftpaccess.

path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-

specifies that all upload filenames for anonymous users must be
made of only the characters A-Z, a-z, 0-9, period (.), dash (-),
and underscore (_); and may not begin with a period (.) or a dash
(-). If the filename is invalid, /etc/pathmsg will be displayed
to the user.

--
Muthu
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Antonio Cardoso_1
Trusted Contributor

тАО03-12-2006 08:44 PM

тАО03-12-2006 08:44 PM

Re: FTP restricted accounts and FTP Error Filename Accept (553)

Hi Muthukumar,
Of course, I read manpage before asking my question.
The question is to know if there is a security issue to allow additional characters in path filter.
For example, according to naming rules of client applications used to store files on my ftp server, I would need a path-filter such as:
path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.\#\+\%\,\~]*$ ^\. ^-

Is there any risk linked to this ?

thanks.
0 Kudos
Reply
Yogeeraj_1
Honored Contributor

тАО03-12-2006 10:21 PM

тАО03-12-2006 10:21 PM

Re: FTP restricted accounts and FTP Error Filename Accept (553)

hi antonio,

In general, it is never a good idea to allow write access to an anonymous FTP directory, but sometimes it must be done. Traditionally this is called the ├в incoming├в directory. The WU FTP daemon has a number of control features that will help to keep the incoming directory from turning into an illegal ├в warez├в site.

First, create the incoming directory with write, but not read, access:
[root]# mkdir -m 333 /home/ftp/incoming

Then, edit /etc/ftpaccess and add these lines:
path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9._]*$ ^\. ^-
upload /home/ftp /incoming yes root ftp 0600 nodirs
noretrieve /home/ftp/incoming/

The first line restricts upload file names to letters, numbers, hyphen, period, and underscore, and it restricts file names from starting with a period or hyphen (so the anonymous user can not create a file called ├в ...├в for instance).

The second line says that files uploaded to the incoming directory are allowed, that files will have UID root, GID ftp, mode 0600, and that the user is not allowed to create subdirectories. The last line denies downloads from the incoming directory entirely, so once a file is written there, another anonymous user can├в t get it. Again, read the manual page for ftpaccess(5) for more information about these and other control mechanisms.

Regardless of the protections, the incoming directory should be reviewed daily, and all files stored there moved to another directory out of the anonymous directory tree. Write a cron job to check the directory each night, perform the move and notify the administrator about any files found there.

hope this helps too!

kind regards
yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
0 Kudos
Reply
Antonio Cardoso_1
Trusted Contributor

тАО03-13-2006 12:12 AM

тАО03-13-2006 12:12 AM

Re: FTP restricted accounts and FTP Error Filename Accept (553)

The ftp account is nor a anonymous account but a named and restricted (chrooted) account.

Does anyone see a potential issue in using the following path-filter in this context ?
path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.\#\+\%\,\~]*$ ^\. ^-

thanks.
antonio.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.