Operating System - HP-UX
1834809 Members
2811 Online
110070 Solutions
New Discussion

How can I restrict ftp user within its home director?

 
SOLVED
Go to solution
Crystal_1
Frequent Advisor

How can I restrict ftp user within its home director?

Hi,

I cannot come up a solution to restrict a ftp user within its home directory. I cannot use restricted shell because I have to use /bin/false to disable its telnet... I am thinking "restricted filesystem". But I have not used it before. Can anybody tell me if there is a solution ?

Thanks
19 REPLIES 19
Rusty Sapper
Frequent Advisor

Re: How can I restrict ftp user within its home director?

I think ftpaccess has that capability. look at the man page for ftpaccess.

HTH


-Rusty
Sanjay_6
Honored Contributor

Re: How can I restrict ftp user within its home director?

Hi Crystal,

Try ftpaccess if the os version is 11.x. Do man ftpaccess to know more about how to configure ftpaccess to restrict the user ftp access to a system.

Hope this helps.

Regds
Jeffrey S. Sims
Trusted Contributor

Re: How can I restrict ftp user within its home director?

Crystal,

There is another thread at http://forums.itrc.hp.com/cm/QuestionAnswer/0,,0x8dac3fa720f3d5118ff40090279cd0f9,00.html that had the same problem. As posted by harry_d_brown_jr:

begin quoted thread -->From the man pages of ftpaccess:

In the /etc/passwd file, the sample entry is:

guest1::100:92:Guest Account:/ftp/./incoming:/etc/ftponly

When guest1 successfully logs in, the ftp server will chroot(/ftp) and then chdir (/incoming). The guest user will only be able to access the directory structure under /ftp (which will look and act as / to guest1), just as an anonymous FTP user would. <--end quoted thread

Here is a link to the ftpaccess manpage for you to look at if this didn't answer your question.
http://www.wu-ftpd.org/man/ftpaccess.html

Hope this helps.

(remember to assign points based on the amount of help a post provided, thanks)
LB4
Valued Contributor
Solution

Re: How can I restrict ftp user within its home director?

Steps to be followed:

1. Make the edits to the /etc/passwd file by adding users:

ftpguest:4rL2HZkDatENY:505:125::/home/ftp/ftpguest/./:/usr/bin/false

'.' is the delimiter to determine where the chroot will be performed. In
this example, after logging in '/' will in effect be /home/ftp/ftpguest.
If the delimiter was placed between ftp and ftpguest then '/' would be
/home/ftp ftpguest was used as the account name in this example but you
could use any name you like.

2. /usr/bin/false will have to be added to the /etc/shells file.
See man(4) shells for further details

3. Make the edits to the /etc/group file

ftpgroup::125:ftpguest

- Create and set the permissions and ownership for the directory
(/home/ftp/ftpguest) to what suits you best.

4. Add an entry into the ftpaccess file. This file will most probably have
to
be copied from the /usr/newconfig/etc/ftpd/ftpaccess to /etc/ftpd/ftpaccess.

Add a guestgroup entry (in the /etc/ftpd/ftpaccess file) to allow a group
of users to be treated as 'guests'. This entry will correspond to the entry
in the /etc/group file. Here is a sample of the ftpaccess file to use guest
groups.

# specify which group of users will be treated as "guests".
guestgroup ftpgroup

5. Edit the /etc/inetd.conf file and add the '-a' option to enable ftpd to
use the ftpaccess file. Here is an example;

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -a

You will need to reconfigure inetd by running /usr/sbin/inetd -c to
reread the /etc/inetd.conf file after making the change.

6. Since this is similar to anonymous FTP in the respect that you are in a
chrooted area (the path to / is different than on your system) you will
also have to replicate the /usr/bin and /etc directories. The easiest way
to do this is to use SAM to create an anonymous FTP setup and then replicate
the /etc & /usr/bin directories into your ftp guest root directory. Here
is an example of how you would replicate the ~ftp/usr and ~ftp/etc directory
to your new ftp guest directory. We use the ftpguest user in this example.

cp -R ~ftp/usr ~ftpguest/usr
cp -R ~ftp/etc ~ftpguest/etc

At this point you should have the files and programs needed for your
ftpguest user.

** This is dependent upon where the '.' delimiter has been positioned. If
the delimiter is positioned prior to the ftp username then only the root
directory (/home/ftp) needs to contain a /usr & /etc directory structure.
If the delimiter is placed post the username then each individual user
will require this directory structure.
Crystal_1
Frequent Advisor

Re: How can I restrict ftp user within its home director?

Thanks, guys... I will try it now...

BTW, how can I search the relevant postings before I open a new issue? Only can I use the "search" under "IT resource center"..

Crystal
Ron Kinner
Honored Contributor

Re: How can I restrict ftp user within its home director?

I prefer to search the forum using www.google.com. If you add "hp-ux forum" or "it resource center forums" to the search that will limit it pretty much to the forum and google is MUCH faster than HP's search engine. It may miss some of the newer posts but most of the questions tend to repeat anyway.

Ron
Bart Paulusse
Respected Contributor

Re: How can I restrict ftp user within its home director?

using "search" on the ITRC returns a lot of useful postings if you "check" the Community Forums box.

man ftpaccess tells you what you need to know.

regards,
Bart
someone_4
Honored Contributor

Re: How can I restrict ftp user within its home director?

Hello
Maybe a little late but here here is a doc on ftp.

Richard
Sanjay_6
Honored Contributor

Re: How can I restrict ftp user within its home director?

Jeffrey S. Sims
Trusted Contributor

Re: How can I restrict ftp user within its home director?

Crystal,

Just wanted to remind you to assign points if the information was helpful. Hope these ideas and suggestions were beneficial to you.
Crystal_1
Frequent Advisor

Re: How can I restrict ftp user within its home director?

Hi,

I have tried the solutions provided, such as from Louis and Sanjay. Unfortunately, I could not get the satisfactory result. Here are the outcomes:

1. Following the steps correctly and logging with ftpguest id, I could not see any files I created under the /home/ftp/ftpguest with "ls" command.

2. Only can the "ftpguest" id ftp to the system, no any ids. (I am not sure this is because of the configuration file /etc/ftpd/ftpaccess)

3. I could not be back to the original situation: Because I did block other ids' ftp service ( refer to point 2). I removed the /etc/ftpd/ftpaccess which did not exist on the system and took out the "-a" option from /etc/inetd.conf. Even, I removed the id ftpguest and ftpgroup. In addition, I ran the "inetd -c" command....

Still I could not allow others to ftp to the system.

Should I reboot the system to fix this?

Besides, I took a look at the wu_ftpd. It doesn't describe how to configure it in detail and it is hard to follow. I prefer to the solution mentioned above...

Please point out what might be wrong with teh steps I followed...

Thanks a lot



Crystal_1
Frequent Advisor

Re: How can I restrict ftp user within its home director?

Hi,

After I re-checked the steps, other ids can use the ftp now. However, the ftp id still cannot do anything, nither "put" nor "get" a file.

Does anybody have a clue?

Thanks
Sanjay_6
Honored Contributor

Re: How can I restrict ftp user within its home director?

Hi Crystal,

Can you outline the steps you have performed and also can you attach your /etc/ftpd/ftpaccess file for us to look at.

Hope this helps.

Regds
Crystal_1
Frequent Advisor

Re: How can I restrict ftp user within its home director?

Hi,

I have been working on this during my whole holidays...really drives me crazy...

I did follow all the steps in the attachment exactly. I am thinking it maybe just applies to HP-UX 11.0, not 11.i. That is the only one thing I can think of...

As to the /etc/ftpd/ftpaccess, I did not change anything after I copied it from /usr/newconfig/etc/ftpd/ftpaccess. In addition, one point here: when I went through the /var/adm/syslog/syslog.log, I found something related to the configuration "private yes" which requires /etc/ftpd/ftpgroups existing. I did change this to "private no" and gave another try, it was the same...

Please help me out, my work is due Tomorrow ...

Thanks

Crystal
Sanjay_6
Honored Contributor

Re: How can I restrict ftp user within its home director?

Hi Crystal,

Your attachment did not come through. I cannot see anything in your attachment. Post your email address and i'll try to send you a sample ftpaccess frm one of my system to you tomorrow first thing in the morning.

I've got ftpaccess configured and running on a couple of my systems. It is true i'm using 11.0, but i don't think there should be any problem if you are using 11i.

If i send you the ftpaccess from my system, return your ftpaccess file as attachment to the same email address and i will try to see if i can help.

Hope this helps.

Regds
Crystal_1
Frequent Advisor

Re: How can I restrict ftp user within its home director?

Sanjay,

The attachment I posted is the same as that of Richard's. What I can guess, the key point is the ftpaccess file. Please attach the file you are using or email me through hmy6@yahoo.com.

Thanks
Rita C Workman
Honored Contributor

Re: How can I restrict ftp user within its home director?

Hi Crystal,

Mr. Kivens has given you a good start for setting this up. But to copy /etc was an overstatement (..if I read his post right). Remember to fine tune your ftpaccess file.
So for ls and pwd the one thing I will mention is this:
On each account you set up and chroot (.../home/user/./:
I generally create a directory bin under each users home directory
mkdir /home/user/bin
Then I copy the following into that directory
cp /sbin/ls /home/user/bin
cp /usr/bin/pwd /home/user/bin

chown root /home/user/bin
chmod 0555 /home/user/bin

By doing the above, the 'locked down' user will be able to run the commands ls and pwd. The commands cd will only let them move within their /home directory and get and put commands will work as usual.

Hope this helps,
Rit
Rita C Workman
Honored Contributor

Re: How can I restrict ftp user within its home director?

Hi again Crystal,

Read a little more .. make it simple first. Some quick things to try..

Check if you have /etc/ftpd/ftpgroups file. Remove it (you can put it back when you want to get sitepass set up..for now try removing it)

Now you need to edit your /etc/ftpd/ftpaccess file..rem out the Private line that refers to the sitepass ftpgroups..
To test & make sure your ftpaccess file is being read...create a file /etc/ftpmotd and edit it to say what ever you want to appear in the login banner..
" This is the FTP login created by Crystal..."
Now edit the /etc/ftpd/ftpaccess to
banner /etc/ftpmotd
rem out the other banner statements if you want..
Now near the bottom, there's a section called 'treat the following as guest'
Put these new users login (user_name) in this section.

Make sure your /etc/inetd.conf for the ftp line end with "-a"

ftp stream ....../lbin/ftpd ftpd -l -a

Recycle inetd (or you may want to stop/start)
/usr/sbin/inetd -c to recycle


Just some thoughts,
Rit
Crystal_1
Frequent Advisor

Re: How can I restrict ftp user within its home director?

Hi,

Thanks all of you for your input here.

I finally got it running. The problem is that the homedirecotry's permission does not allow me to look at the files or dirs below...

Hoo...I can take a rest now...

*-*