HPE Community
Operating System - HP-UX
1822480 Members
2538 Online
109642 Solutions
New Discussion юеВ

restrict userid to execute FTP command only

 
SOLVED
Go to solution
James Ellis_1
Super Advisor

тАО02-03-2004 07:12 AM

тАО02-03-2004 07:12 AM

restrict userid to execute FTP command only

I have the idea on how to do this, but I want to verify I got this right. I have a userid, lets call it jobftp, and is a member of group users.

I want to use this ID to manually execute ftp jobs from another server (Microsoft) to a HPUX server. To set this up, I would do this:

-in /etc/passwd, set the user's home directory to /bin/false
-in the /etc/shells directory, add /bin/false

A bit more information, the user will login using the jobftp ID, but the only command this user ID can execute is ftp.

Is this the best way to do this?

Thanks.
"In the middle of difficulty lies opportunity" -Einstein
0 Kudos
Reply
9 REPLIES 9
Sridhar Bhaskarla
Honored Contributor

тАО02-03-2004 07:17 AM

тАО02-03-2004 07:17 AM

Re: restrict userid to execute FTP command only

Hi,

Set him up with the shell '/usr/bin/rsh' and give him profile only to look at certain path. For ex., Create a directory /home/jobftp with .profile containing only the following line

PATH=/usr/restrict/bin

Change the ownership of this file to root:bin with only 400 permissions.

Copy /usr/bin/ftp into /usr/restrict/bin. Do not add anything to it.

Now the user, after logs in can only execute ftp command.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО02-03-2004 07:17 AM

тАО02-03-2004 07:17 AM

Re: restrict userid to execute FTP command only

The home dir should not be /bin/false, rather the users default shell (the LAST field on the line) should be /bin/false or /usr/bin/false.

0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

тАО02-03-2004 07:21 AM

тАО02-03-2004 07:21 AM

Solution

Re: restrict userid to execute FTP command only

Ahh.. I didn't quite read your message (yet another one).

If you make it /bin/false, then the user cannot login. So, the best way is to make the shell as /usr/bin/ftp and add /usr/bin/ftp to /etc/shells.

The user logs in and gets an ftp prompt. He|she will have to type "o systemname" etc.,etc

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Steven E. Protter
Exalted Contributor

тАО02-03-2004 07:56 AM

тАО02-03-2004 07:56 AM

Re: restrict userid to execute FTP command only

Long term, you need to test the configuration yourself.

I would want things structured so the user is in a chroot jail. That means the user's home directory is root. Thats if you allow a telnet/ssh login at all, which you currrently are not doing.

The user can't cd up to the real root.

In this scenario the user may need an actual home directory thats in position to access the files you want the user to access.

Under your current setup the user can not log on with telnet. So the only way in or out is by ftp.

Other things to consider.

Why use ftp at all.

Authentication is clear text.

Why not use a Secure Shell which includes a secure ftp server for the server side.

You'll need a client for the Microsoft side and that will cost a few dollars.

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Dave La Mar
Honored Contributor

тАО02-03-2004 08:27 AM

тАО02-03-2004 08:27 AM

Re: restrict userid to execute FTP command only

Attached is the HP doc, I have used, in pdf format.

Best of luck.

Regards,

dl
"I'm not dumb. I just have a command of thoroughly useless information."
0 Kudos
Reply
James Ellis_1
Super Advisor

тАО02-05-2004 05:43 AM

тАО02-05-2004 05:43 AM

Re: restrict userid to execute FTP command only

Still waiting to be able to edit the user's default shell path.

By the way, can the /etc/passwd file be edited directly?

Thanks.
"In the middle of difficulty lies opportunity" -Einstein
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

тАО02-05-2004 05:46 AM

тАО02-05-2004 05:46 AM

Re: restrict userid to execute FTP command only

James,

Now with "vi". YOu will need to use 'vipw' to edit the passwd file. It sets the appropriate locks so that another session won't change the password file simultaneiously.

YOu can also do a "chsh" command to change the shell. For ex.,

chsh jobftp "/usr/bin/ftp"

-Sri

You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

тАО02-05-2004 05:47 AM

тАО02-05-2004 05:47 AM

Re: restrict userid to execute FTP command only

Hmmm.. small correction. Please read "now" as "not" in the first line. My hand doesn't type what my brain says. Sorry.
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Dave La Mar
Honored Contributor

тАО02-06-2004 06:21 AM

тАО02-06-2004 06:21 AM

Re: restrict userid to execute FTP command only

Sorry James, thought I had responded to this already.
Attached find the HP doc we have used for ftp only account setups.

Best of luck.

Best regards,

dl
"I'm not dumb. I just have a command of thoroughly useless information."
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.