HPE Community
Operating System - HP-UX
1837097 Members
2168 Online
110112 Solutions
New Discussion

Re: Secure ftp

 
Andy Macleod
Advisor

‎11-14-2002 08:00 AM

‎11-14-2002 08:00 AM

Secure ftp

One of the items in my roll out of a secure ftp solution is to insert /./ (chroot) into the path of a ftp users home directory.

but when I ftp in using this user's id and do the pwd comand I can still see the full path.

Can anyone think why this is ?
0 Kudos
Reply
14 REPLIES 14
Christopher McCray_1
Honored Contributor

‎11-14-2002 08:06 AM

‎11-14-2002 08:06 AM

Re: Secure ftp

Are you using ftpaccess?

Look at this:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xa9635c7609e9d61190050090279cd0f9,00.html


Hope this helps

Chris
It wasn't me!!!!
0 Kudos
Reply
Christopher McCray_1
Honored Contributor

‎11-14-2002 08:06 AM

‎11-14-2002 08:06 AM

Re: Secure ftp

Hello,

What does the entire entry in the passwd file say?

Do you have something like /usr/bin/false for the users default shell?

Chris
It wasn't me!!!!
0 Kudos
Reply
Andy Macleod
Advisor

‎11-14-2002 10:24 AM

‎11-14-2002 10:24 AM

Re: Secure ftp

I think I've sorted it.
I've set up a new group and a new shell called ftpshell.

The shell contains exit 0, then I've copied the ftpaccess file to /etc/ftpd/ and editied it so the ftponly group is the secureftp group.
then i've sorted all the permissions and ownership.

I then created a file /etc/shells and listed all the shells inculding the new ftpshell, cp'd the ls cmd to a sub dir usr/bin withing the ftpusers home dir.

Here's the link I found
http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000063248362
0 Kudos
Reply
Andy Macleod
Advisor

‎11-15-2002 02:18 AM

‎11-15-2002 02:18 AM

Re: Secure ftp

If I now want to enable ls and rename for the ftp user, what do I need to do?

I've changed the lines in /etc/ftpd/access to yes for the items rename overwrite and delete but I still cannot do an ls or rename.

Please help
0 Kudos
Reply
Andreas Voss
Honored Contributor

‎11-15-2002 02:32 AM

‎11-15-2002 02:32 AM

Re: Secure ftp

Hi,

for listing you have to copy /sbin/ls to the home directory of the ftp user.
First create usr/bin under the home dir of the ftp user ie:
umask 222
mkdir -p /home/user/usr/bin

Then copy the ls binary:
cp -p /bin/ls /home/user/usr/bin

Regards
0 Kudos
Reply
Andy Macleod
Advisor

‎11-15-2002 02:51 AM

‎11-15-2002 02:51 AM

Re: Secure ftp

I've done all that and it still doesnt work.

I've played with combinations of shells and groups and the only way I can get get rename to work is to remove the ftpuser from my secureftp (ftponly) group, but that then allows the user to move around the file structure.

Any ideas ?
here's a copy of my ftpaccess file

loginfails 2

class local real,guest,anonymous *.domain 0.0.0.0
class remote real,guest,anonymous *

limit local 20 Any /etc/msgs/msg.toomany
limit remote 100 SaSu|Any1800-0600 /etc/msgs/msg.toomany
limit remote 60 Any /etc/msgs/msg.toomany

readme README* login
readme README* cwd=*

message /welcome.msg login
message .message cwd=*

compress yes local remote
tar yes local remote

# allow use of private file for SITE GROUP and SITE GPASS?
private yes

# passwd-check []
passwd-check rfc822 warn

log commands real
log transfers anonymous,real inbound,outbound
shutdown /etc/shutmsg

# all the following default to "yes" for everybody
delete yes guest,anonymous # delete permission?
overwrite yes guest,anonymous # overwrite permission?
rename yes guest,anonymous # rename permission?
chmod no anonymous # chmod permission?
umask no anonymous # umask permission?

# specify the upload directory information
upload /var/ftp * no
upload /var/ftp /incoming yes root daemon 0600 dirs
upload /var/ftp /bin no
upload /var/ftp /etc no

# directory aliases
alias inc /incoming

# cdpath
cdpath /incoming
cdpath /pub
cdpath /

# path-filter...
path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-

# specify which group of users will be treated as "guests".
guestgroup secureftp
0 Kudos
Reply
Andy Macleod
Advisor

‎11-15-2002 02:52 AM

‎11-15-2002 02:52 AM

Re: Secure ftp

Here's what I see when I log on

230 User hostftp1 logged in. Access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/hostftp1" is current directory.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /usr/bin/ls.
226 Transfer complete.

But the ls command doesnt show the 2 files I've just put in there either.

0 Kudos
Reply
john korterman
Honored Contributor

‎11-15-2002 02:55 AM

‎11-15-2002 02:55 AM

Re: Secure ftp

Hi,
When you establish the ftp session, does the system then say "Users logged in. Access restrictions apply"?
If you execute "pwd" immediately after you have established your ftp session, it should show what has been entered after the full stop in the 6th field of the definition in /etc/passwd. Does it do that?

regards,
John K.
it would be nice if you always got a second chance
0 Kudos
Reply
john korterman
Honored Contributor

‎11-15-2002 03:14 AM

‎11-15-2002 03:14 AM

Re: Secure ftp

Hi again,
The way I see the sequence of question/answers here, you can probably guess my next question (!): Did you copy the statically linked ls command from /sbin/ls (which is the correct one) or?

regards,
John K.
it would be nice if you always got a second chance
0 Kudos
Reply
Andy Macleod
Advisor

‎11-15-2002 03:17 AM

‎11-15-2002 03:17 AM

Re: Secure ftp

I did this

cd /home/username
mkdir usr
mkdir usr/bin
cp -p /sbin/ls usr/bin
chown -R bin:bin usr
chmod -R 555 usr


0 Kudos
Reply
john korterman
Honored Contributor

‎11-15-2002 04:13 AM

‎11-15-2002 04:13 AM

Re: Secure ftp

Hmm,
.... almost out of ideas. Does it make a difference to use "dir"?

regards,
John K.
it would be nice if you always got a second chance
0 Kudos
Reply
Andy Macleod
Advisor

‎11-15-2002 04:38 AM

‎11-15-2002 04:38 AM

Re: Secure ftp

Nope - HELP !
0 Kudos
Reply
john korterman
Honored Contributor

‎11-15-2002 05:54 AM

‎11-15-2002 05:54 AM

Re: Secure ftp

Hi,
have you made the ftp-connection from the server itself or from a PC client?

regards,
John K.
it would be nice if you always got a second chance
0 Kudos
Reply
Christopher McCray_1
Honored Contributor

‎11-15-2002 06:21 AM

‎11-15-2002 06:21 AM

Re: Secure ftp

Hello,

You need to have that usr/bin/ls tree under the hostftp1 directory the user is chroot'ed to .

I also noticed that you kept a lot of the default variables in you ftpaccess file, which won't work. For example:

# specify the upload directory information
upload /var/ftp * no
upload /var/ftp /incoming yes root daemon 0600 dirs
upload /var/ftp /bin no
upload /var/ftp /etc no

The /var/ftp should be changed to what you have, like /home/user and do you even have an incoming directory, I believe it was hostftp1:

upload /home/user /ftpuser1 yes 0600 dirs

Do a search on ftpaccess and really read the man pages clarification on all these values; you may not even need them all. There are also release notes in /usr/share/doc/RelNotes_newftp.txt

Hope this helps

Chris
It wasn't me!!!!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.