Re: securing ftp with different owner and group access

Joe Profaizer · ‎03-05-2003

(See link below for initial dialogue of original question

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x6283402f24d5d61190050090279cd0f9,00.html

We'vd setup a Unix user account with the intention of this user only being able to ftp data to the Unix machine. The account looks like this in /etc/passwd:

psoftp:*:146:113:Psoft ftp test acct,,,:/opt/appserver/psftfsdm/finstl/rga/./dat:/usr/bin/false

We also needed the files that this user ftp'd to have a different owner and group other than this user's so we were using ftpaccess to do this. The /etc/ftpd/ftpaccess file looks like this:

class all real,guest,anonymous *

guestgroup psoftp

upload /opt/appserver/psftfsdm/finstl/rga/dat /opt/appserver/psftfsdm/finstl/rga/dat yes fsadmstl psofthr 0440

We've also changed /etc/inetd.conf to use fptd -l -a and used inetd -c to refresh the configuration which looks like this:

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -a

After ftp'ing a file using the psoftp userid to the Unix machine the file's permissions look like this in directory /opt/appserver/psftfsdm/finstl/rga/dat:

-rw-r----- 1 psoftp psoftp 20 Mar 5 12:50 webservicedesk.txt

We are wanting it to be:

-rw-r----- 1 fsadmstl psofthr 20 Mar 5 12:50 webservicedesk.txt

We're pretty sure this was working at one time. Can anyone see where we're going wrong?

Thanks!!!!!

Sridhar Bhaskarla · ‎03-05-2003

Hi,

You will need to make sure that the first directory you specify (root directory) in the upload is the home directory of the user psoftp as defined in /etc/passwd. So try with exactly the entry you have in /etc/passwd.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Sridhar Bhaskarla · ‎03-05-2003

Hi (Again),

I should have added, add the entire entry /opt/appserver/psftfsdm/finstl/rga/./dat (including .) as the first directory in the upload directive.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Joe Profaizer · ‎03-06-2003

We'll give that a try and keep you posted.

Thanks.

P.H. Vogt · ‎03-06-2003

chmod g+s /opt/appserver/psftfsdm/finstl/rga/dat

This will solve the group owner issue. Changing the owner is more complicated.

man man

Joe Profaizer · ‎03-06-2003

P.H.,
Permissions are already set for that directory as needed:

drwxrwxrwx 2 fsadmstl psofthr 1024 Mar 5 13:05 dat

Is that what you expected the permissions to be?
Thanks.

Joe Profaizer · ‎03-06-2003

Sridhar,
Thanks for the suggestions, but that did not work either.
I know this worked at one time and have no knowledge of anything changing.

Thanks,

..JOe

P.H. Vogt · ‎03-06-2003

Well that is not what I expected :)

something like drwxrwsr-x

or when you are a bit more secure minded drwxrws---

A s instead of a x makes the difference.

To make this work for you the account psoftp has to be a member of the group psofthr.

man man

Steven E. Protter · ‎03-06-2003

You seem security conscious.

Then I would suggest not using ftp at all for transferring files. I would sugguest sftp or secure ftp instead.

No more clear text passwords on the network or the public internet, user access is defined by the users on the systems and the public encryption keys you generate.

Something to think about. Surely you cold meet your goal with ftpacces config changes.

Link and cookbook attached.

https://payment.ecommerce.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=T1471AA&date=

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Sridhar Bhaskarla · ‎03-06-2003

Hi Joe,

Unless you have a typo somewhere, it should work. For debugging purposes, do the following.

Change the home directory of psoftp to a simple directory like /home/psoftp. Then modify your ftpaccess file to reflect like

upload /home/psoftp /opt/appserver/psftfsdm/finstl/rga/dat yes fsadmstl psofthr 0440

Come out of the existing ftp session and try ftp again. If it works, then you just need to make sure '/opt/appserver/psftfsdm/finstl/rga/./dat ' is really the home dir of psoftp.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Christopher Caldwell · ‎03-06-2003

Here's the upload howto:
http://www.wu-ftpd.org/HOWTO/upload.configuration.HOWTO

The first dir should be the home dir as passed to the chroot command (the chroot point without the .). The second directory should be relative to root.

So I think you want

upload /opt/appserver/psftfsdm/finstl/rga/dat / ...

Sridhar Bhaskarla · ‎03-06-2003

Chris -

Before posting my response to include ., I did try it myself. It did not work if I excluded "." . I don't know if the version of ftpd that I have, looks for the entry lexically equal to that defined in /etc/passwd.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Christopher Caldwell · ‎03-06-2003

I believe the . is implementation dependent and has [mostly] to do with the way chroot works. I'd completely believe you if you said the . was required in the portion of the command, since the man page indicates that is effectively the chroot point.

Joe Profaizer · ‎03-06-2003

We found a solution. Here's what we did.

/etc/passwd

psoftp:*:146:113:Psoft ftp test
acct,,,:/opt/appserver/psftfsdm/finstl/rga/dat:/usr/bin/false

/etc/ftpd/ftpaccess
upload /opt/appserver/psftfsdm/finstl/rga/dat / yes fsadmstl psofthr 0440

Thanks to all for your efforts

Sridhar Bhaskarla · ‎03-06-2003

Hi Joe,

With your workaround, you are losing the restriction on the ftp account.

The following *may* be the solution.

upload /opt/appserver/psftfsdm/finstl/rga /dat yes fsadmstl psofthr 0440

with *no* change in the passwd entry.

Chris is right but missed that the argument to chroot is actually /opt/appserver/psftfsdm/finstl/rga not including dat though.

I was completely leaning on the explanation that it depends on the implementation of ftpd as below

//
Some versions of the daemon required the first parameter to be lexically
identical to the user's home directory entry. This was non-obvious and the
'/./' was often forgotten.

Some versions of the daemon got totally confused, attempted to apply both
these methods at once, and ended up ignoring all your upload rules. If you
were smart, you had your permissions set properly and didn't notice.
//

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: securing ftp with different owner and group access

securing ftp with different owner and group access