HPE Community
Operating System - HP-UX
1833189 Members
2535 Online
110051 Solutions
New Discussion

securing ftp with different owner and group access

 
SOLVED
Go to solution
Joe Profaizer
Super Advisor

‎03-05-2003 12:09 PM

‎03-05-2003 12:09 PM

securing ftp with different owner and group access

(See link below for initial dialogue of original question

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x6283402f24d5d61190050090279cd0f9,00.html


We'vd setup a Unix user account with the intention of this user only being able to ftp data to the Unix machine. The account looks like this in /etc/passwd:

psoftp:*:146:113:Psoft ftp test acct,,,:/opt/appserver/psftfsdm/finstl/rga/./dat:/usr/bin/false

We also needed the files that this user ftp'd to have a different owner and group other than this user's so we were using ftpaccess to do this. The /etc/ftpd/ftpaccess file looks like this:

class all real,guest,anonymous *

guestgroup psoftp

upload /opt/appserver/psftfsdm/finstl/rga/dat /opt/appserver/psftfsdm/finstl/rga/dat yes fsadmstl psofthr 0440


We've also changed /etc/inetd.conf to use fptd -l -a and used inetd -c to refresh the configuration which looks like this:

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -a


After ftp'ing a file using the psoftp userid to the Unix machine the file's permissions look like this in directory /opt/appserver/psftfsdm/finstl/rga/dat:

-rw-r----- 1 psoftp psoftp 20 Mar 5 12:50 webservicedesk.txt

We are wanting it to be:


-rw-r----- 1 fsadmstl psofthr 20 Mar 5 12:50 webservicedesk.txt


We're pretty sure this was working at one time. Can anyone see where we're going wrong?

Thanks!!!!!
0 Kudos
Reply
14 REPLIES 14
Sridhar Bhaskarla
Honored Contributor

‎03-05-2003 12:27 PM

‎03-05-2003 12:27 PM

Re: securing ftp with different owner and group access

Hi,

You will need to make sure that the first directory you specify (root directory) in the upload is the home directory of the user psoftp as defined in /etc/passwd. So try with exactly the entry you have in /etc/passwd.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎03-05-2003 12:34 PM

‎03-05-2003 12:34 PM

Re: securing ftp with different owner and group access

Hi (Again),

I should have added, add the entire entry /opt/appserver/psftfsdm/finstl/rga/./dat (including .) as the first directory in the upload directive.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Joe Profaizer
Super Advisor

‎03-06-2003 05:24 AM

‎03-06-2003 05:24 AM

Re: securing ftp with different owner and group access

We'll give that a try and keep you posted.

Thanks.
0 Kudos
Reply
P.H. Vogt
Advisor

‎03-06-2003 06:11 AM

‎03-06-2003 06:11 AM

Re: securing ftp with different owner and group access


chmod g+s /opt/appserver/psftfsdm/finstl/rga/dat

This will solve the group owner issue. Changing the owner is more complicated.
man man
0 Kudos
Reply
Joe Profaizer
Super Advisor

‎03-06-2003 06:30 AM

‎03-06-2003 06:30 AM

Re: securing ftp with different owner and group access

P.H.,
Permissions are already set for that directory as needed:

drwxrwxrwx 2 fsadmstl psofthr 1024 Mar 5 13:05 dat

Is that what you expected the permissions to be?
Thanks.
0 Kudos
Reply
Joe Profaizer
Super Advisor

‎03-06-2003 08:54 AM

‎03-06-2003 08:54 AM

Re: securing ftp with different owner and group access

Sridhar,
Thanks for the suggestions, but that did not work either.
I know this worked at one time and have no knowledge of anything changing.

Thanks,

..JOe
0 Kudos
Reply
P.H. Vogt
Advisor

‎03-06-2003 09:02 AM

‎03-06-2003 09:02 AM

Re: securing ftp with different owner and group access


Well that is not what I expected :)

something like drwxrwsr-x

or when you are a bit more secure minded drwxrws---

A s instead of a x makes the difference.

To make this work for you the account psoftp has to be a member of the group psofthr.

man man
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎03-06-2003 09:05 AM

‎03-06-2003 09:05 AM

Re: securing ftp with different owner and group access

You seem security conscious.

Then I would suggest not using ftp at all for transferring files. I would sugguest sftp or secure ftp instead.

No more clear text passwords on the network or the public internet, user access is defined by the users on the systems and the public encryption keys you generate.

Something to think about. Surely you cold meet your goal with ftpacces config changes.

Link and cookbook attached.

https://payment.ecommerce.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=T1471AA&date=

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎03-06-2003 11:16 AM

‎03-06-2003 11:16 AM

Re: securing ftp with different owner and group access

Hi Joe,

Unless you have a typo somewhere, it should work. For debugging purposes, do the following.

Change the home directory of psoftp to a simple directory like /home/psoftp. Then modify your ftpaccess file to reflect like

upload /home/psoftp /opt/appserver/psftfsdm/finstl/rga/dat yes fsadmstl psofthr 0440

Come out of the existing ftp session and try ftp again. If it works, then you just need to make sure '/opt/appserver/psftfsdm/finstl/rga/./dat ' is really the home dir of psoftp.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Christopher Caldwell
Honored Contributor

‎03-06-2003 11:43 AM

‎03-06-2003 11:43 AM

Solution

Re: securing ftp with different owner and group access

Here's the upload howto:
http://www.wu-ftpd.org/HOWTO/upload.configuration.HOWTO

The first dir should be the home dir as passed to the chroot command (the chroot point without the .). The second directory should be relative to root.

So I think you want

upload /opt/appserver/psftfsdm/finstl/rga/dat / ...
Reply
Sridhar Bhaskarla
Honored Contributor

‎03-06-2003 12:35 PM

‎03-06-2003 12:35 PM

Re: securing ftp with different owner and group access

Chris -

Before posting my response to include ., I did try it myself. It did not work if I excluded "." . I don't know if the version of ftpd that I have, looks for the entry lexically equal to that defined in /etc/passwd.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Christopher Caldwell
Honored Contributor

‎03-06-2003 12:52 PM

‎03-06-2003 12:52 PM

Re: securing ftp with different owner and group access

I believe the . is implementation dependent and has [mostly] to do with the way chroot works. I'd completely believe you if you said the . was required in the portion of the command, since the man page indicates that is effectively the chroot point.
Reply
Joe Profaizer
Super Advisor

‎03-06-2003 01:15 PM

‎03-06-2003 01:15 PM

Re: securing ftp with different owner and group access

We found a solution. Here's what we did.

/etc/passwd

psoftp:*:146:113:Psoft ftp test
acct,,,:/opt/appserver/psftfsdm/finstl/rga/dat:/usr/bin/false

/etc/ftpd/ftpaccess
upload /opt/appserver/psftfsdm/finstl/rga/dat / yes fsadmstl psofthr 0440


Thanks to all for your efforts
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎03-06-2003 02:00 PM

‎03-06-2003 02:00 PM

Re: securing ftp with different owner and group access

Hi Joe,

With your workaround, you are losing the restriction on the ftp account.

The following *may* be the solution.

upload /opt/appserver/psftfsdm/finstl/rga /dat yes fsadmstl psofthr 0440

with *no* change in the passwd entry.

Chris is right but missed that the argument to chroot is actually /opt/appserver/psftfsdm/finstl/rga not including dat though.

I was completely leaning on the explanation that it depends on the implementation of ftpd as below

//
Some versions of the daemon required the first parameter to be lexically
identical to the user's home directory entry. This was non-obvious and the
'/./' was often forgotten.

Some versions of the daemon got totally confused, attempted to apply both
these methods at once, and ended up ignoring all your upload rules. If you
were smart, you had your permissions set properly and didn't notice.
//


-Sri

You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.