HPE Community
Operating System - HP-UX
1848813 Members
7634 Online
104037 Solutions
New Discussion

Restrict FTP access to a directory other than the homedir

 
Luis Toro
Regular Advisor

‎05-09-2005 07:53 AM

‎05-09-2005 07:53 AM

Restrict FTP access to a directory other than the homedir

We use the ftpaccess to setup restricted ftp access for "ftp only" accounts. Using /bin/false, and the "guest group", these accounts can only be used to ftp to a specific directory. My new requirement is to restrict the ftp access for regular user accounts to a specific directory, other than their home directory, and restrict it such that they can "cd" out of that ftp directory.
Thanks
0 Kudos
Reply
5 REPLIES 5
Isralyn Manalac_1
Regular Advisor

‎05-09-2005 02:52 PM

‎05-09-2005 02:52 PM

Re: Restrict FTP access to a directory other than the homedir

You might want to consider chroot for sftp. I've attached the ssh release notes for your reference.

Regards,

Isralyn
0 Kudos
Reply
Luis Toro
Regular Advisor

‎05-10-2005 01:07 AM

‎05-10-2005 01:07 AM

Re: Restrict FTP access to a directory other than the homedir

Thanks for the reply, but I don't think ssh is an option since these are endusers that have a predefined [ftp] process. What I'm trying to do is make sure they are restricted when doing an FTP to a directory other than their homedir. The easy option is to create "ftp only" accounts for each user and use the ftpaccess file to configure them as "guest" accounts.
0 Kudos
Reply
David Lodge
Trusted Contributor

‎06-16-2005 10:35 PM

‎06-16-2005 10:35 PM

Re: Restrict FTP access to a directory other than the homedir

Look in the ftpaccess file (man ftpaccess). You can configure this to allow 'guest' users. (Note: guest users are *not* anonymous)

All guest users are locked into a chroot gaol which is defined in /etc/passwd.

In essence:
1. Create an ftp group
2. Edit /etc/inetd.conf to add '-a' to the ftpd flags, then reload inetd's conf file (inetd -c)
3. Create a simple /etc/ftpd/ftpaccess file, with something like:
# Defines a class of users - this is required
class users real,guest *
# Any members of the ftp group will be chroot'd
guestgroup ftp
# Don't print the FTP/OS version on login
suppressversion yes
# Logging - for debugging purposes
log commands real,guest,anonymous
log transfers real,guest,anonymous * IN,OUT

4. Create your user, put it in the 'ftp' group and assign a shell of /usr/bin/false (to stop shell logins). The home directory for the user should be /./; for example:
useradd -g ftp -s /usr/bin/false -c "Chroot FTP user,,," -d /var/opt/staging/./foo foo
5. Create the home directory (in the above example: /var/opt/staging/foo)

One point about this; by default they won't be able to do an 'ls' command from within FTP - but they can still use 'nlist'
0 Kudos
Reply
jaru_1
New Member

‎10-08-2008 03:49 PM

‎10-08-2008 03:49 PM

Re: Restrict FTP access to a directory other than the homedir

hi , i use the ftpaccess to setup restricted ftp access for "ftp only", its work, but i can't see the files in the directory only from command line i can see the files.
0 Kudos
Reply
Steven Schweda
Honored Contributor

‎10-08-2008 07:28 PM

‎10-08-2008 07:28 PM

Re: Restrict FTP access to a directory other than the homedir

> hi , [...]

It would be better to start a new thread with
your new question, rather than waking up this
very old and mostly unrelated thread.

When you do that, show an "ls -lR" listing
for a user's home directory.

Or, do a Forum search, and look for your
problem, which has almost certainly been
covered before.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.