Operating System - HP-UX
1839204 Members
3163 Online
110137 Solutions
New Discussion

Re: FTP restricting Navigation to upper level directories. /usr/bin/false issue?

 
Yogeeraj_1
Honored Contributor

FTP restricting Navigation to upper level directories. /usr/bin/false issue?

Dear experts!

I am not able to restrict my FTP users to navigate to "upper level" directories on my new server running HP-UX 11.11.

I already went through a post describing the same problem as mine, but none of the solutions is working for me.
[http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x76bfd08cc06fd511abcd0090277a778c,00.html]

Note that, I had already done the configuration on my HP-UX 11.0 which worked very well and now trying it on my HP-UX 11.11...

I also observed that my /usr/bin/false is different on each server.

For instance:
HP-UX 11.0
==========
# file /usr/bin/false
/usr/bin/false: commands text
# more /usr/bin/false

# @(#) $Revision: 64.1 $
exit 1
# uname -a
HP-UX L1000 B.11.00 U 9000/800 541706567 unlimited-user license
#

HP-UX 11.11
===========

SLX1:> file /usr/bin/false
/usr/bin/false: PA-RISC1.1 shared executable dynamically linked
SLX1:>ll /usr/bin/false
-r-xr-xr-x 14 bin bin 12288 Nov 14 2000 /usr/bin/false
SLX1:>ll /usr/bin/ |grep -i "14 bin"
-r-xr-xr-x 14 bin bin 12288 Nov 14 2000 false
-r-xr-xr-x 14 bin bin 12288 Nov 14 2000 hp-mc680x0
-r-xr-xr-x 14 bin bin 12288 Nov 14 2000 hp9000s200
-r-xr-xr-x 14 bin bin 12288 Nov 14 2000 hp9000s300
-r-xr-xr-x 14 bin bin 12288 Nov 14 2000 hp9000s400
-r-xr-xr-x 14 bin bin 12288 Nov 14 2000 hp9000s500
-r-xr-xr-x 14 bin bin 12288 Nov 14 2000 hp9000s700_8MB
-r-xr-xr-x 14 bin bin 12288 Nov 14 2000 pdp11
-r-xr-xr-x 14 bin bin 12288 Nov 14 2000 u370
-r-xr-xr-x 14 bin bin 12288 Nov 14 2000 u3b
-r-xr-xr-x 14 bin bin 12288 Nov 14 2000 u3b10
-r-xr-xr-x 14 bin bin 12288 Nov 14 2000 u3b2
-r-xr-xr-x 14 bin bin 12288 Nov 14 2000 u3b5
-r-xr-xr-x 14 bin bin 12288 Nov 14 2000 vax
SLX1:>uname -a
HP-UX slx1 B.11.11 U 9000/800 762977641 unlimited-user license


Please help on how to further troubleshoot and fix this problem.

Thank you in advance for your replies.

Best Regards
Yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
19 REPLIES 19
Rita C Workman
Honored Contributor

Re: FTP restricting Navigation to upper level directories. /usr/bin/false issue?

When I set up ours, I wanted to remove all anonymous & guest rights. I found setting up specific users and using chroot to be very helpful.
It has worked pretty well for us here keep folks in there 'place'.

Hope this thread helps,

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xd5ab53921f1ad5118fef0090279cd0f9,00.html

Rgrds,
Rita
Cheryl Griffin
Honored Contributor

Re: FTP restricting Navigation to upper level directories. /usr/bin/false issue?

Make sure you have the latest ftpd patch:
s700_800/11.X/PHNE_23950 11.11 ftpd(1M) patch which enables you to use a configuration file ftpaccess which can restrict the user.
# man ftpaccess for additional information

"Downtime is a Crime."
Steven E. Protter
Exalted Contributor

Re: FTP restricting Navigation to upper level directories. /usr/bin/false issue?

1) You sir are fast becoming known as an expert in many areas.

If you want to keep people out of lower level directories, here is a radical approach.

Make the permissions on the lower level directories inaccessible.

user schmobagel(there is a story there)

group users

logs into ftp ends up at /home/schmobagel

For whatever reason you aren't using chroot jail for ftp users and that doesn't keep you from navigating down anyway.

The permissions on the other home directories in this template example should not allow anyone but the owner to navigate

root sets the permissions on user foolish to 700

If the problem is related to the fact that your ftp users need wider permissions then consider special users in a special group for ftp.

add schmobagel to /etc/ftpd/ftpusers file and give him a different account for ftp in a group that isn't allowed to roam the machine. Again, permission based approach.

Which leads me to a bug alert. Washington University's ftpd server does not work right when you add users to the /etc/ftpd/ftpusers file, you need to download and install new binaries for that functionality to work. You'll need to open a support call to get the binaries or talk to me offline.

stevenprotter@juf.org

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Yogeeraj_1
Honored Contributor

Re: FTP restricting Navigation to upper level directories. /usr/bin/false issue?

Dear all,
thank you for your replies.

I followed the configuration steps again. Still not working.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xa36c7d4cf554d611abdb0090277a778c,00.html
http://forums.itrc.hp.com/cm/components/FileAttachment/0,,0x13c94e49c5cdd5118ff40090279cd0f9,00.txt

I also tried the recommendation above and still no luck.


I already have the recommend (above) patch.
SLX1:u03>swlist -l patch|grep PHNE_23950
PHNE_23950.INETSVCS-RUN 1.0 Internet Services Fileset
applied
# PHNE_23950 1.0 ftpd(1M) patch
# PHNE_23950.INETSVCS-RUN 1.0 Internet Services F
ileset applied
SLX1:u03>


please help further.

Best Regards
Yogeeraj


No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
U.SivaKumar_2
Honored Contributor

Re: FTP restricting Navigation to upper level directories. /usr/bin/false issue?

Hi yogeeraj,

If you can spend some more time in compiling the source in HP-UX platform.you can use VSFTPD server.

In that you can configure chrooting for individual user to his home directory. That would solve your problem.

http://vsftpd.beasts.org

regards,

U.SivaKumar
Innovations are made when conventions are broken
Yogeeraj_1
Honored Contributor

Re: FTP restricting Navigation to upper level directories. /usr/bin/false issue?

hi U.SivaKumar,

thank you for your reply.

Unfortunately, this is shared directory by 15 users.

I don't want to install any non-hp stuffs on my mission-critical server which also host our corporate Database.

Any more suggestions?

Best Regards
Yogeeraj

No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
john korterman
Honored Contributor

Re: FTP restricting Navigation to upper level directories. /usr/bin/false issue?

Hi Yogeerai,
simple question: when you open your ftp session, does the server then say: Access restrictions apply?

regards,
John K.
it would be nice if you always got a second chance
Varghese Mathew
Trusted Contributor

Re: FTP restricting Navigation to upper level directories. /usr/bin/false issue?

Yogeeraj,

Will this help?... (have a look at the attached file).

This works fine for us.

Cheers !!!
Mathew
Cheers !!!
Yogeeraj_1
Honored Contributor

Re: FTP restricting Navigation to upper level directories. /usr/bin/false issue?

John korterman
==============
I didnot check any logs on the server. What would this mean?

Varghese Mathew
===================
Already gone through this document. i did post the same link above.


I still need help on how to fix this. Please help

Best Regards
Yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
Sridhar Bhaskarla
Honored Contributor

Re: FTP restricting Navigation to upper level directories. /usr/bin/false issue?

Hi Yogeeraj,

I don't think the problem is with your /usr/bin/false or the corresponding script.

Did you setup your /etc/ftpd/ftpacccess file correctly?.

I would put all the users that are to be granted with restricted ftp access in a group say ftpgroup and then add them to ftpaccess's 'guestgroup' like

guestgroup ftpgroup

And make sure their home directories are setup like '/home/user/./' in /etc/passwd. Then they cannot be able to navigate above their home directories as the /home/user becomes the chroot'ed dir for the user.



-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Sridhar Bhaskarla
Honored Contributor

Re: FTP restricting Navigation to upper level directories. /usr/bin/false issue?

Hi (again) Yogeeraj,

I would have added to make sure your ftpaccess file is enabled by adding -a to the ftpd line in /etc/inetd.conf. Refresh inetd.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
john korterman
Honored Contributor

Re: FTP restricting Navigation to upper level directories. /usr/bin/false issue?

Hi again,
it is a message that should appear on std. out when you establish a ftp session in which "ftpaccess" is working, e.g.:
Name (TEST019:jxk): fuppub
331 Password required for fuppub.
Password:
230 User fuppub logged in. Access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

like in the above example. If you do not see "Access restrictions apply" it means that the configuration/limitation made in ftpaccess is disregarded.
That could explain why your user could move around freely.
There could be many reasons for that, one of the simplest is that the user does not belong to any of the groups which you normally restrict by ftpaccess. I'm thinking of the "guestgroup" line in ftpaccess. Is the user included in any of the groups defined as "guestgroups", normally one of the last lines in ftpaccess? A good test is to temporarily change the /usr/bin/false to a normal shell and establish a telnet connection for that user. Execute "id" to check to which group he belongs. Check also for uniqueness of users and groups.
By the way, your /usr/bin/false looks like the one I have on a 11.11 system, and its basic idea is to prevent the user from establishing another connection, e.g. telnet. I do not think the error is there.

regards,
John K.

it would be nice if you always got a second chance
Yogeeraj_1
Honored Contributor

Re: FTP restricting Navigation to upper level directories. /usr/bin/false issue?

hi,
thank you for these reponses.

Sridhar Bhaskarla
=================
I have already done/checked all the things you mention here!

John
======
I need to do the test as soon as i am back in office tomorrow morning. I will update this post again.

More inputs will be most appreciated till then.

best regards
Yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
Yogeeraj_1
Honored Contributor

Re: FTP restricting Navigation to upper level directories. /usr/bin/false issue?

hi,
thank you for these reponses.

Sridhar Bhaskarla
=================
I have already done/checked all the things you mention here!

John
======
I need to do the test as soon as i am back in office tomorrow morning. I will update this post again.

More inputs will be most appreciated till then.

best regards
Yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
Yogeeraj_1
Honored Contributor

Re: FTP restricting Navigation to upper level directories. /usr/bin/false issue?

hi,
thank you for these reponses.

Sridhar Bhaskarla
=================
I have already done/checked all the things you mention here!

John
======
I need to do the test as soon as i am back in office tomorrow morning. I will update this post again.

More inputs will be most appreciated till then.

best regards
Yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
Sridhar Bhaskarla
Honored Contributor

Re: FTP restricting Navigation to upper level directories. /usr/bin/false issue?

Hi Yogeeraj,

Can you post a 'what' and 'll' of your 'ftpd' executable?.

Unless you have a syntax error somewhere, I don't see any reason why it is not working for you.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Sridhar Bhaskarla
Honored Contributor

Re: FTP restricting Navigation to upper level directories. /usr/bin/false issue?

And also your ftpaccess file with replacing the original entries with dummy ones.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Yogeeraj_1
Honored Contributor

Re: FTP restricting Navigation to upper level directories. /usr/bin/false issue?

Dear John,

thank you for your suggestion on the troubleshooting. I did the tests you mentioned and indeed my ftpaccess file was being disregarded as you suspected.

I "rebuilt" the ftpaccess file and it works fine now.

Thanks to everyone again. Thread is CLOSED now.

Best Regards
Yogeeraj
PS. the /usr/bin/false is still puzzling me. Why is it different from the one on my HP-UX 11.0.... :)
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
Yogeeraj_1
Honored Contributor

Re: FTP restricting Navigation to upper level directories. /usr/bin/false issue?

feedback posted in my last reply.
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)