Re: How to restrict users to navigate when connected with ftp.

Erkan Durmus_1 · ‎06-09-2000

When a user makes an ftp connection he can navigate other directories at the server.

Anonymous user's root directory is /home/ftp.
Just like this I want to make ordinary users root directory as /home/user_name or any other directory. And he should not access for example /home Is it possible at HPUX 10.20?

Thanks

Brian M. Fisher · ‎06-09-2000

I'm not sure how to restrict what directories a user cds into but a good way of monitoring this at HP-UX 10.20 is to change the end of your ftpd line in /etc/inetd.conf to:
ftpd -l -v
Then issue inetd -c

This will cause ftpd to log all connection information to /var/adm/syslog/syslog.log including who loggs in to ftp, what files are copied, and all cd information.

Brian
<*(((>< er

Perception IS Reality

Andy Monks · ‎06-09-2000

have a look at the man page for ftpaccess(4).

It describes all the things you can configure ftpd(1M) to do.

Andy

Berlene Herren · ‎06-09-2000

wu-ftpd is the software you want to restrict ftp access. It is NOT HP supported on 10.20, but the FAQ site has instructions on how to port it.

http://www.wu-ftpd.org/wu-ftpd-faq.html

Berlene

http://www.mindspring.com/~bkherren/dobes/index.htm

Brian M. Fisher · ‎06-09-2000

I do not believe the man page for for ftpaccess(4) exists at HP-UX 10.20 only 11.x

Brian
<*(((>< er

Perception IS Reality

Steven Sim Kok Leong · ‎06-19-2000

Hi,

Another possibility would be to make use of the restricted shell or /usr/bin/rsh as the default login shell during ftp accesses.

With the use of restricted shell, the user can only view and access his own home directory and subdirectories but not others.

Regards.

Steven Sim.

Erkan Durmus · ‎06-20-2000

I am giving telnet access to same users. I make them to use restricted shells they but this time they cannot run the programs when they connect with telnet. (because programs have accesses to some dirs)

Unix is always UNIX

Alan Riggs · ‎06-21-2000

Have you tried creeating soft links from directories they have access to to the required programs?

Marcel Boon · ‎06-27-2000

hello Erkan,

Maybe this helps:

Configuring Anonymous ftp

Anonymous ftp allows users who do not have an account on a given system to send files to, and retrieve them from, that system.

Step 1. Add user ftp to /etc/passwd, for example:
ftp:*:500:1:anonymous ftp:/home/ftp:/usr/bin/false

The password field should be *, the group membership should be guest, or, as in this example, other, and the login shell should be /usr/bin/false.

In this example, user ftp's user ID is 500, and the anonymous ftp directory is /home/ftp.

Step 2. Create the anonymous ftp directory:

Create the ftp home directory that you referred to in the /etc/passwd file, for example:

mkdir /home/ftp

Create the subdirectory /usr/bin under the ftp home directory, for example:

cd /home/ftp

mkdir usr

cd usr

mkdir bin

Step 3. Copy the ls and pwd commands from /sbin and /usr/bin (respectively) to ~ftp/usr/bin, and set the permissions on the commands to executable only (mode 0111):
cp /sbin/ls /home/ftp/usr/bin

cp /usr/bin/pwd /home/ftp/usr/bin

chmod u=x,g=x,o=x /home/ftp/usr/bin/ls

chmod u=x,g=x,o=x /home/ftp/usr/bin/pwd

Step 4. Set the owner of the ~ftp/usr/bin and ~ftp/usr directories to root, and set the permissions to not writable (mode 0555):
chown root /home/ftp/usr/bin

chmod u=rx,g=rx,o=rx /home/ftp/usr/bin

chown root /home/ftp/usr

chmod u=rx,g=rx,o=rx /home/ftp/usr

Step 5. Create the subdirectory etc under the ftp directory, for example:
cd /home/ftp

mkdir etc

Step 6. Copy /etc/passwd and /etc/group to ~ftp/etc.
These files are required by the ls command, to display the owners of files and directories under ~ftp.

cp /etc/passwd /home/ftp/etc

cp /etc/group /home/ftp/etc

Step 7. In all entries in /home/ftp/etc/passwd, replace the password field with an asterisk (*), and delete the shell field, for example:
ftp:*:500:1:anonymous ftp:/home/ftp: tom:*:8996:20::/home/tom:

Step 8. In all entries in /home/ftp/etc/group, replace the password field with an asterisk (*):
users:*:20:acb guest:*:21:ftp

Step 9. Change the owner of the files in ~ftp/etc to root, and set the permissions to read only (mode 0444):
chown root /home/ftp/etc

chmod u=r,g=r,o=r /home/ftp/etc

Step 10. Create a directory pub under ~ftp, and change its owner to user ftp and its permissions to writable by all (mode 0777).
Anonymous ftp users can put files in this directory to make them available to other anonymous ftp users.

mkdir /home/ftp/pub

chown ftp /home/ftp/pub

chmod u=rwx,g=rwx,o=rwx /home/ftp/pub

Step 11. Create a directory dist under ~ftp. Change its owner to root and its permissions to writable only by root (mode 0755).
mkdir /home/ftp/dist

chown root /home/ftp/dist

chmod u=rwx,g=rx,o=rx /home/ftp/dist

Step 12. Change the owner of user ftp's home directory to root and the permissions to not writable (mode 0555):
chown root /home/ftp

chmod u=rx,g=rx,o=rx /home/ftp

See the man pages

Erkan Durmus · ‎06-27-2000

Firstly,Thanks to Brian M.Fisher,Andy Monks,Berlene Herren,Steven Sim Kok Leong,Alan Riggs,M.Boon for their kind responses.

Alan Riggs asks me using soft links. I did not tried this because there are lots of programs called from inside source code. It will need a great amount of work to determine them. I only need to prevent users while they are connected by ftp.

M.Boon says to use anonymous ftp. I am already using this method. But everone can see others files. So there is security porblem. I heard smt that it is possible to make users to login with their username/passwd again after they are logged with anonymous. This may help but it will be diffucult to educate so many users to do like this. :)

Unix is always UNIX

Marcel Boon · ‎06-27-2000

Hi Erkan,

What does the file /home/ftp/etc/passwd
looks like ? Can you give me some more information ?

Marcel

See the man pages

Berlene Herren · ‎06-27-2000

Again, I think wu-ftpd is the way to go. Though it is not supported by HP, there is a way to port it to 10.20. See http://www.wu-ftpd.org/wu-ftpd-faq.html

Regards,
Berlene

http://www.mindspring.com/~bkherren/dobes/index.htm

Alan Riggs · ‎06-27-2000

Berlene's solution probably is the best one. If you wish to use the anonymous ftp configuration, though, then follow these steps:

1) enable anonymous ftp
2) create directories underneath the ftp_home for each user or group of users.
3) set permissions and ownership on these directories as you desire.
4) cp /etc/passwd //etc/passwd
5) cp /etc/group //etc/group
6) edit the ftp passwd and group files to include only those users/groups you siwh to have anonymous ftp access. Set the home directories to be the directories you created in step 2.
7) users connect as ftp (anonymous), then issue "user " to gain access ot their particular directory structures.

Marcel Boon · ‎06-27-2000

Oke Berlene,

I saw your anser several times, I am going to try your program and maybe it convince me.

Regards,

Marcel

See the man pages

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: How to restrict users to navigate when connected with ftp.

How to restrict users to navigate when connected with ftp.