hi,
can you please try this?
=============================
1. Create a bogus shell like /usr/bin/ftponly - just put a message in there in case he tries to login on server: Create a group, like "ftpgroup" and put him in it.
Example bogus shell:
#!/bin/sh
/usr/bin/cat << XX
***********************************************************************************************
* ACCESS DENIED: You may use FTP, but you may not login with this account! *
***********************************************************************************************
XX
/usr/bin/sleep 5
2. Edit (or create) /etc/shells that looks like this (make sure that it includes your bogus shell) :
/usr/bin/sh
/sbin/sh
/usr/bin/ksh
/usr/bin/csh
/usr/bin/ftponly
3. For true "restricted" ftp accounts, Edit user in /etc/passwd with vipw:
(These accounts will not have a regular shell, so they cannot telnet.)
Change the home directory entry to put the "root" level that you want this user to be able see on one side of a period (.)
The other side of the period is where he intially lands (relative to the new "root") in when he ftps to the server.
Example:
ftpuser:jo/469sTHoYRQ:105:101:ftp account,,,:/opt/apache/ftpdir/./:/usr/bin/ftponly
Do NOT forget the trailing "/" just before the separating "." between the directories above.
4. For "restricted" ftp accounts, you also need to create or edit /ftpd/ftpaccess
(See ftpaccess manpage for mind-boggling details.)
Example /etc/ftpd/ftpaccess:
class all real,guest *
guestgroup www ftpgroup
upload * * yes * * 0775 dirs
My understanding of the above:
# defines a "class" of all, real, and anything starting with guest*
# defines 2 "guestgroup" "groupnames," called "www" and "ftpgroup" --- if an ftp user is a REAL /etc/passwd account AND the user belongs to one of these groups, then their ftp session is treated just like anonymous ftp. If a user is in one of these groups they cannot cd to anything outside of their home directory, cannot change user, or password, etc.
# allow "upload" access to any directory, ownership group will be those of the ftp user, directories may be created
When you setup a user like this, the user acts just like an anonymous ftp account. So, ftpd does a chroot to the selected directory. However, no files, libraries, etc that are outside this restricted piece of the file system are available anymore to this user. So commands like ls won't work anymore. To just get ls working, you need to create a local usr/bin under the new "root" directory. Change the permissions on these dirs to 555 - owned by root. Then copy /sbin/ls into the new usr/bin and chown to root and chmod 111 on the ls executable.
5. Put ANY (restricted or not) logins that you do NOT want to ftp in /etc/ftpd/ftpusers.
Hint: use the following command to create the file (NO ONE on this list will be able to ftp):
cat /etc/passwd | awk -F: '{print $1}' > /etc/ftpd/ftpusers
Then remove those users that you DO want to ftp from ftpusers.
6, Setup the ftpd entry in inetd.conf like this:
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -a
(note: ftpaccess file must exist!)
(The ftpd -a tells the daemon to access the /etc/ftpd/ftpaccess configuration file.)
7. Restart inetd like this inetd -c (works on hp-ux).
kind regards
yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
