HPE Community
Operating System - HP-UX
1822231 Members
3596 Online
109642 Solutions
New Discussion

Re: how can i create an ftp user that is restricted to a subdirectory tree?

 
jesc516
Occasional Contributor

‎10-09-2015 09:11 AM

‎10-09-2015 09:11 AM

how can i create an ftp user that is restricted to a subdirectory tree?

i would like to create a user that only has ftp access (no shell) and can upload and download files within a subdirectory tree.

 

for example, say i have a directory /xyz/client and within i have /xyz/data/client_1, /xyz/data/client_2 etc...

 

the ftp user should be able to upload and download files anywhere after /xyz/client.  if i add /xyz/client_3 directory later on, the user should be able to upload and downfile files to that directory aswell.

 

in short, the user will only have access to /xyz/client and beyond with the ability to upload and download files.

 

if someone can guide me in the right direction i will greatly appreciate it.

 

i am on hpux 11i v2.

0 Kudos
Reply
1 REPLY 1
Steven Schweda
Honored Contributor

‎10-09-2015 03:36 PM

‎10-09-2015 03:36 PM

Re: how can i create an ftp user that is restricted to a subdirectory tree?

> i am on hpux 11i v2.

   I have 11.31, but these things should be similar.  But it's been a
long time since I did this, so I know nothing.  But, ...

> i would like to create a user that only has ftp access (no shell) and
> can upload and download files within a subdirectory tree.

   You may not be the first person with such a requirement.  A Forum (or
Web) search for keywords like, say:
      ftp chroot guest
should find many examples, such as:

      http://h30499.www3.hp.com/t5/x/x/m-p/4499614

   The "no shell" part is done by specifying "/bin/false" as the shell
for the new user.

   The "within a subdirectory tree" part is done by making the new user
an FTP "guest" user, which tells ftpd to do a chroot(), providing the
desired file system isolation.

 

      man ftpd
      man ftpaccess

   I can't vouch for the posted list(s) of run-time libraries and so on
required in the new user's usr/lib directory, but I dimly recall seeing
some helpful error messages in some log file somewhere when something is
missing.  (After the chroot() to the guest user's pseudo-root directory,
the normal /usr/bin and /usr/lib aren't there, so you need to create and
populate a new, guest-specific [/]usr directory with enough stuff to get
"ls" to work, assuming that you want the guest FTP user to be able to
get a directory listing.)  Possibly useful:

      ldd /usr/bin/ls

    For experimentation, you can do chroot() interactively, and fiddle
around until "ls" works that way.

      man 1m chroot


   This may be good enough to get started.  Re-inquire when it all goes
wrong.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.