HPE Community
Operating System - HP-UX
1834804 Members
2895 Online
110070 Solutions
New Discussion

simple FTP and root-jailing

 
SOLVED
Go to solution
Charly Preis
New Member

‎07-17-2006 02:01 AM

‎07-17-2006 02:01 AM

simple FTP and root-jailing

Shalom alltogether,
we're working on a rx4640 machine under 11.23 and have the following needs:
We have one ftp-user who should only get an ftp-access (no os-access like other users).

We created this using .

This user should be able to read/write any file below this directory (also put/get them) - but he shouldn't be able to navigate above the home-directory.

We've already read some instructions in the book 'Installing and configuring internet services' - espacially the chapter over 'anonymous ftp access' - but our user is still able to navigate above his home-dir.

Hopefully awaiting your answers
Thanx
Charly
0 Kudos
4 REPLIES 4
Ivan Ferreira
Honored Contributor

‎07-17-2006 02:27 AM

‎07-17-2006 02:27 AM

Solution

Re: simple FTP and root-jailing

Can you describe the process that you did?

Some tips:

1- Ensure that the user have a invalid shell, like /bin/false. This will prevent to the user logon locally.

2- The ftpaccess file should look like this:

class all real,guest,anonymous *

limit all 60 Any /etc/msgs/msg.dead

readme README* login
readme README* cwd=*

message /welcome.msg login
message .message cwd=*

compress no all
tar no all

delete no anonymous,guest # delete permission?
overwrite no anonymous,guest # overwrite permission?
rename no anonymous,guest # rename permission?
chmod no anonymous,guest # chmod permission?
umask no anonymous,guest # umask permission?

log commands real
log transfers anonymous,real inbound,outbound

shutdown /etc/shutmsg

email root@clu-oas.sis.personal.net.py

# CHROOT Users
guestuser username1 username2

3- Ensure that the home for these users in the passwd ends with /./

username1:*:211:214:CHROOT User:/path/to/home/./:/bin/false
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Charly Preis
New Member

‎07-17-2006 02:38 AM

‎07-17-2006 02:38 AM

Re: simple FTP and root-jailing

Hello Ivan,
thank you - your answer has brought the solution. We've missed two things - the trailing slash at the home-dir and stupidly the /bin/false-shell.

Mui bien
Greetings to Paraguay
Charly
0 Kudos
Charly Preis
New Member

‎07-17-2006 02:40 AM

‎07-17-2006 02:40 AM

Re: simple FTP and root-jailing

See the above solution from Ivan.
0 Kudos
SGUX
Valued Contributor

‎07-17-2006 07:43 PM

‎07-17-2006 07:43 PM

Re: simple FTP and root-jailing

with HP-UX Secure Shell (T1471AA) a script named ssh_chroot_setup.sh (in /opt/ssh)is shipped which will do the job for you if you would like to use sftp.
I'm still working on it to get it working properly together with using LDAP but without LDAP it is working fine !

See also the following doc:
http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000082447780
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.