HPE Community
Operating System - HP-UX
1833053 Members
2624 Online
110049 Solutions
New Discussion

Real vs. Guest ftp's users

 
Jose Mosquera
Honored Contributor

‎07-24-2002 12:43 AM

‎07-24-2002 12:43 AM

Real vs. Guest ftp's users

Recently I have configured wu-ftp in our HP-UX 11.0 host. Firstly we have decided not to configure the anonymous bill of ftp. Considering this, now we can configure just "Real" and/or "Guest" ftp's users. I have noticed that "Guest" users is very easy to configure:
1. - Is configured in /etc/passwd: test:x:102:20::/home/test/./:/etc/ftponly
2. - "/etc/ftponly " is included in "/etc/shells"
3. - Is defined a group (ftpguest) inside "/etc/group", and their corresponding users are added.
4. - The file "/etc/ftpd/ftpaccess" is configured, especially the corresponding group is assigned to "guestgroup" (in this case ftpguest)
5. - Update ftp service definition in "/etc/inetd.conf" (-a option) and the service is restarted (inetd -c)

After this, everything configured in "/ect/ftpd/ftpaccess" begins to be applied on any user included in the group "ftpguest". Especially the concerning thing to the user's capacity to do "chroot", and very important for my case, the restrictions of delete/overwrite files;

# all the following default to "yes" for everybody
delete no guest,anonymous
overwrite no guest,anonymous
rename no guest,anonymous
chmod no anonymous
umask no anonymous

Until here everything OK..!

However, other defined ftp's users must have capacity of delete and/or overwrite files, but at the same time, and very important for us, -can't do "chroot"-. For the previous user's example (test) I have converted it from "Guest" to "Real" deleting it of the group "ftpguest". From this moment, the user "test" can delete and/or overwrite files, maintaining any other restriction of the file "/etc/ftpd/ftpaccess"... ...but, now this user can do "chroot"..!

Is it impossible to control for the "Real" users the capacity to do "chroot"?
Some alternative?


By the way, I understand that wu-ftp isn't available from factory for HP-UX 10.20, Is it available as HP-UX 10.20 patch or exist any site where I can download it as HP-UX 10.20 depot file?
0 Kudos
Reply
4 REPLIES 4
F Verschuren
Esteemed Contributor

‎07-24-2002 03:32 AM

‎07-24-2002 03:32 AM

Re: Real vs. Guest ftp's users

A restricked ftp user can be giving more comands. If you copy the comands in the ~/username/./bin/
and the lib files in the ~/username/./bin/lib/ other comands will alsow work....
If you do not known what lib to put in please user the comand as the FTP user and in the error wil be the missing lib file, (there will properly be about 4 lib files that have to be copyed.

I hope this is what you where seeking for.
0 Kudos
Reply
James Beamish-White
Trusted Contributor

‎07-24-2002 03:54 AM

‎07-24-2002 03:54 AM

Re: Real vs. Guest ftp's users

Try taking a look at http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x39c74e49c5cdd5118ff40090279cd0f9,00.html


And for the 10.20 depot, try http://hpux.cs.utah.edu/hppd/hpux/Networking/FTP/wu_ftpd-2.6.1/


Cheers!
James
GARDENOFEDEN> create light
0 Kudos
Reply
Jose Mosquera
Honored Contributor

‎07-24-2002 05:07 AM

‎07-24-2002 05:07 AM

Re: Real vs. Guest ftp's users

James,

Thank you for the depot site clue.

According witm my "big" question, I've reviewed several docs about, but anything yet. I'll keep awaiting about.

Regards
0 Kudos
Reply
Christopher Caldwell
Honored Contributor

‎07-24-2002 05:36 AM

‎07-24-2002 05:36 AM

Re: Real vs. Guest ftp's users

real users aren't chroot'd. That's one of the essential differences between real users and guest users.

From
http://www.wu-ftpd.org/HOWTO/guest.HOWTO

Anonymous FTP is well known; one logs in with the username 'anonymous'
and an email type password.

Real FTP is when someone logs in with a real username and password and
has access to the entire disk structure. This form of access can be
extremely dangerous to system security and should be avoided unless
absolutely necessary and well controlled.

Guest FTP is a form of real FTP; one logs in with a real user name and
password, but the user is chroot'ed to his home directory and cannot
escape from it. This is much safer, and it is a useful way for remote
clients to maintain their Web accounts.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.