HPE Community
Operating System - HP-UX
1755421 Members
2940 Online
108832 Solutions
New Discussion юеВ

Re: Problem with anonymous FTP since upgrade to UX 11

 
K Froggatt
New Member

тАО06-19-2001 04:57 AM

тАО06-19-2001 04:57 AM

Problem with anonymous FTP since upgrade to UX 11

On UX10.20 we used anonymous FTP for users to connect to our servers. Once connected anonymously (and hence chrooted) they then issue a USER command and log in as the user appropriate to their application to get/put data. Under UX11 the mechanism seems to have changed, so users can be chrooted without having to go via the anonymous account. However implementing this would require application changes on external systems. Is it possible to configure FTP on UX11 in a (supported) way to work as it did on UX10.20 ?

Thanks in advance.
0 Kudos
Reply
4 REPLIES 4
Vincenzo Restuccia
Honored Contributor

тАО06-19-2001 05:05 AM

тАО06-19-2001 05:05 AM

Re: Problem with anonymous FTP since upgrade to UX 11

Configuring Anonymous ftp Access



Anonymous ftp allows a user without a login on your host to transfer files to and from a public directory. A user types the ftp command to connect to your host and types anonymous or ftp as a login name. The user can type any string of characters as a password. (By convention, the password is the host name of the user's host). The anonymous user is then given access only to user ftp's home directory, usually called /home/ftp.
Configuring anonymous ftp access involves the following tasks, described in this section:

To Add User ftp to /etc/passwd


To Create the Anonymous ftp Directory
You can follow the instructions in this section, or you can use SAM to configure anonymous ftp access. SAM (System Administration Manager) is Hewlett-Packard's windows-based user interface for performing system administration tasks. To run SAM, type sam at the HP-UX prompt. SAM has an extensive online help facility.

To Add User ftp to /etc/passwd

Use a text editor to add a line for user ftp to the /etc/passwd file, as in the following example:


ftp:*:500:guest:anonymous ftp:/home/ftp:/usr/bin/false
The password field should be *, the group membership should be guest, and the login shell should be /usr/bin/false. In this example, user ftp's user ID is 500, and the anonymous ftp directory is /home/ftp.

Type man 4 passwd at the HP-UX prompt for information on the passwd file.

To Create the Anonymous ftp Directory



Create the ftp home directory that you configured in the /etc/passwd file, as in the following example:


cd /home
mkdir ftp

Create the subdirectory /usr/bin under the ftp home directory:


cd /home/ftp
mkdir usr
cd usr
mkdir bin

Copy the ls and pwd commands from /sbin to ~ftp/usr/bin, and set the permissions on the commands to 0111 (executable only):


cp /sbin/ls /home/ftp/usr/bin
cp /sbin/pwd /home/ftp/usr/bin
chmod 0111 /home/ftp/usr/bin/ls
chmod 0111 /home/ftp/usr/bin/pwd

Set the owner of the ~ftp/usr/bin and ~ftp/usr directories to root, and set the permissions to 0555 (not writeable):


chown root /home/ftp/usr/bin
chmod 0555 /home/ftp/usr/bin
chown root /home/ftp/usr
chmod 0555 /home/ftp/usr

Create the subdirectory etc under the ftp home directory:


cd /home/ftp
mkdir etc

Copy /etc/passwd and /etc/group to ~ftp/etc. These files are required by the ls command, to display the owners of files and directories under ~ftp.


cp /etc/passwd /home/ftp/etc
cp /etc/group /home/ftp/etc

Replace the password field in all entries in /home/ftp/etc/passwd with *, and delete the shell field from the end of each entry:


ftp:*:500:guest:anonymous ftp:/home/ftp:
acb:*:8996:20::/home/acb:

Replace the password field in all entries in /home/ftp/etc/group with *:


users:*:20:acb
guest:*:21:ftp

Set the owner of the files in ~ftp/etc to root, and set the permissions to 0444 (read only):


chown root /home/ftp/etc/passwd
chmod 0444 /home/ftp/etc/passwd
chown root /home/ftp/etc/group
chmod 0444 /home/ftp/etc/group

Set the owner of ~ftp/etc to root, and set the permissions to 0555 (not writeable):


chown root /home/ftp/etc
chmod 0555 /home/ftp/etc

Create a directory called pub under ~ftp. Set its owner to user ftp and its permissions to 0777 (writeable by all). Anonymous ftp users can put files in this directory to make them available to other anonymous ftp users.


mkdir /home/ftp/pub
chown ftp /home/ftp/pub
chmod 0777 /home/ftp/pub

Create a directory called dist under ~ftp. Set its owner to user root and its permissions to 0755 (writeable only by root). The superuser can put read-only files in this directory to make them available to anonymous ftp users.


mkdir /home/ftp/dist
chown root /home/ftp/dist
chmod 0755 /home/ftp/dist

Set the owner of user ftp's home directory to root and the permissions to 0555 (not writeable).


chown root /home/ftp
chmod 0555 /home/ftp
0 Kudos
Reply
Rita C Workman
Honored Contributor

тАО06-19-2001 06:06 AM

тАО06-19-2001 06:06 AM

Re: Problem with anonymous FTP since upgrade to UX 11

Here's a thread that contains some helpful anonymous ftp....and it was done on an 11.0 system.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,1150,0xd5ab53921f1ad5118fef0090279cd0f9,00.html

Hope it helps you,
Rita
0 Kudos
Reply
K Froggatt
New Member

тАО06-19-2001 07:45 AM

тАО06-19-2001 07:45 AM

Re: Problem with anonymous FTP since upgrade to UX 11

Thankyou for your feedback. The 'standard' anonymous FTP setup is already done and working. The bit I am having trouble with is providing discrete areas for each application to get/put data.
In the original 10.20 implementation users logged in via anonymous FTP because this was the only was we knew of chrooting them. The underlying unix permissions meant they could not get/put data as the anonymous user, only when they USERed to their own FTP account. Each application had its own ftp account and group, seperate froom the 'application owner' account. The application owner account was a member of the application ftp group (a seperate group for each application) and therefore could access the FTP files asssociated with the application via the group permission. i.e.

appftp is the ftp account for application 'app'.
app is the application owner account for application 'app'.

The user appftp is a member of the group appftp.

The user app is a member of the app and appftp groups.

Files are delivered to application app via the appftp account. This account can only be accessed once the user has logged into the anonymous FTP account and issues a USER command.

Can we make UX11 behave like this ?

If we have to use the new UX11 way as I understand it all the FTP users would have to be set up as 'guest' accounts i.e. in the guest group. This would cause problems accessing the files from application owner accounts via the group permission. Also a change to the way FTP works will mean changes on external systems. These problems are not insurmountable (?) but it would be better if we could make the change transparent.

Hope this explains better !
0 Kudos
Reply
Rita C Workman
Honored Contributor

тАО06-19-2001 09:01 AM

тАО06-19-2001 09:01 AM

Re: Problem with anonymous FTP since upgrade to UX 11

If I understand what you want, you want to ftp and control who gets rights to what directories once logged in...user app to all and user appftp to only appftp.
Well, I would probably not try to figure out a way to run USER after I logged in.
I would create 2 (ftp) accounts. First user=app at /home/app and then user=appftp at /home/app/appftp.
In the passwrd file I would do a chroot to secure appftp to their directory(ies) only by
appftp:1234:......./home/app/appftp/./usr/bin/ksh
and if I wanted to secure user app to their directory:
app:1233:...../home/app/./usr/bin/ksh
Remember to copy /sbin/ls and /usr/bin/pwd under their home directory, so they have these commands.
Doing this, user appftp could put/get files from that mountpoint (and below) only. And user app could put/get files from the higher mountpoint and below down through appftp files.

Now, if you want specific rights for groups you could specify the group in your ftpaccess and give rights, or leave them as guest so the only place they are going is where you have chrooted them...granted they would not have to run USER to re-login, since they never logged in as anonymous...they logged in as themselves from the first login prompt.

Just a thought, hope it makes some sense...(cause I have this set up..and so far it works for us)
Regards,
Rita

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.