HPE Community
Operating System - HP-UX
1831624 Members
2253 Online
110027 Solutions
New Discussion

Re: Setting up restricted ftp

 
Preet Dhillon
Advisor

‎08-20-2002 05:14 AM

‎08-20-2002 05:14 AM

Setting up restricted ftp

Dear Colleagues,

I have a requirement for a user to ftp files into a certain directory BUT the condition is that this user should not be allowed to cd to any other directory from the ftp session. I've set up the user's account with a restricted shell which keeps him in his home directory. But this does not apply with ftp. Is there a way of doing this ?

Many thanks and regards,
Preet
Nothing succeeds like excess
0 Kudos
Reply
8 REPLIES 8
harry d brown jr
Honored Contributor

‎08-20-2002 05:19 AM

‎08-20-2002 05:19 AM

Re: Setting up restricted ftp


ftpaccess

live free or die
harry
Live Free or Die
0 Kudos
Reply
Ceesjan van Hattum
Esteemed Contributor

‎08-20-2002 05:20 AM

‎08-20-2002 05:20 AM

Re: Setting up restricted ftp

There is a realy nice documenten about restricted ftp. Look at:

http://packetstormsecurity.nl/0001-exploits/mi009en.htm

Regards.
Ceesjan
0 Kudos
Reply
Christopher Caldwell
Honored Contributor

‎08-20-2002 05:22 AM

‎08-20-2002 05:22 AM

Re: Setting up restricted ftp

If you're running >=11.x with patched ftp and/or 10.20 with wu-ftpd, see

http://www.wu-ftpd.org/HOWTO/guest.HOWTO

for instructions on setting up a chroot enviroment.

In addition, man ftpaccess and look at
cdpath.
0 Kudos
Reply
James Beamish-White
Trusted Contributor

‎08-20-2002 05:25 AM

‎08-20-2002 05:25 AM

Re: Setting up restricted ftp

wu-ftp (comes standard with HPUX 11, need to download for 10.20) uses ftpaccess. Do a man for ftpaccess as Harry suggested, or see

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xab95663ce855d511abcd0090277a778c,00.html

Cheers!
James
GARDENOFEDEN> create light
0 Kudos
Reply
Dave La Mar
Honored Contributor

‎08-20-2002 08:43 AM

‎08-20-2002 08:43 AM

Re: Setting up restricted ftp

Preet -
I used the following to set up a particular user as well as
DOC NR0801KBRC00007714

http://support2.itrc.hp.com/service/cki/search.do?searchString=A5651654&mode=id&submit=Search&searchCrit=allwords&docType=Security&docType=Patch&docType=EngineerNotes&docType=BugReports&docType=Hardware&docType=ReferenceMaterials&docType=ThirdParty

I think you will find what you need here as well.

Best of luck.

dl
"I'm not dumb. I just have a command of thoroughly useless information."
0 Kudos
Reply
Andrew Cowan
Honored Contributor

‎08-20-2002 09:29 PM

‎08-20-2002 09:29 PM

Re: Setting up restricted ftp

Try using Secure-FTP (part of OpenSSH) as the data is encrypted, and you can setup key access as well as passwords.

Using normal (un-encrypted) services such as telnet and ftp is very unadvisable, unless your environment is "secure", and you are not concerned about attackers listening in on your LAN, and grabbing usernames and passwords.

Whatever type of FTP you decide to use, ensure that you lock the user into a "chroot'd" jail so that they cannot access sensitive parts of your system.
0 Kudos
Reply
Andrew Cowan
Honored Contributor

‎08-20-2002 09:33 PM

‎08-20-2002 09:33 PM

Re: Setting up restricted ftp

Try using Secure-FTP (part of OpenSSH) as the data is encrypted, and you can setup key access as well as passwords.

Using normal (un-encrypted) services such as telnet and ftp is very unadvisable, unless your environment is "secure", and you are not concerned about attackers listening in on your LAN, and grabbing usernames and passwords.

Whatever type of FTP you decide to use, ensure that you lock the user into a "chroot'd" jail so that they cannot access sensitive parts of your system.
0 Kudos
Reply
dsrao
Occasional Contributor

‎08-20-2002 10:29 PM

‎08-20-2002 10:29 PM

Re: Setting up restricted ftp

Hi,

try the following procedure for restricted ftp.

Restricted FTP user Setup

1. Configure the ftpaccess file:
a. cd /etc/ftpd
b.cp ???p /usr/newconfig/etc/ftpd/ftpaccess .
c. vi ftpaccess At the bottom of the file there is a guestgroup rective ???guestgroup ftponly???
i. Either change that group destination to one you already have or keep that designation
ii. If you are keeping the ftponly group, then create that group on your system

2. Modify the /etc/inetd.conf file to enable the use of the ftpaccess file:
a. vi /etc/inetd.conf
b. Add the ???a flag to the ftp daemon.
c. ftp stream tcp nowait root /usr/lbin/ftpd ftpd ???a ???l

3. Make inetd re-read its configuration:
inetd ???c

4. Create a bogus shell for users that will only have FTP access to the system:
a. vi /usr/bin/ftpshell
b. exit 0
c. chmod 555 /usr/bin/ftpshell
d. chown bin:bin /usr/bin/ftpshell

5. Create an /etc/shells file:
a. vi /etc/shells
b. Include these line in the file:
/sbin/sh
/usr/bin/kshll
/usr/bin/sh
/usr/bin/ftpshell

6. Now add a user to the system. Use a group that is ???ftponly??? and make the user???s shell /usr/bin/ftpshell.

7. Use SAM to limit the user to his home directory by setting up the directory in this form:
/home/username/./
Note: The /./ is the important key here. When the ftpd verifies a user???s login, it checks and sees that the user is a member of the guestgroup - ftponly. It then examines the home directory and, if it sees a /./ in the path, it will then perform a chroot to that directory. Therefore, when that user FTPs into the system, their home directory will appear as the / directory.

8. Provide the user with an ls command:
a. cd /home/username
b. Change ownership to home directory
Ex: chown sysftp:tux /tuxhome/oper (where sysftp is the user)
c. mkdir usr
d. mkdir usr/bin
e. cp ???p /sbin/ls usr/bin
f. chown ???R bin:bin usr
g. chmod ???R 555 usr
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.