- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Securing ftp access
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-07-2004 04:38 AM
тАО10-07-2004 04:38 AM
created user with /usr/bin/false as shell & home directory /homedir/./.
created /etc/shells & added all possible entries including /usr/bin/false
created /etc/ftpd/ftpaccess with an entry newuser ftponly at the bottom of file
edit /etc/inetd.conf & added -a flag to ftp daemon. run inetd -c
My Question.
User is restricted to ftp which is OK. Cannot telnet or login. When I ftp as this user I can cd / at the ftp prompt which lets me go to the root dir of the server. I expected to be only left go to the ftpuser's home dir which is what I want to do. Have I missed something or have I a problem with chroot?
Hope someone can help,
Tim
I can ftp send from another server as this user &
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-07-2004 04:50 AM
тАО10-07-2004 04:50 AM
Re: Securing ftp access
Thought about using chroot (1M)?
http://www5.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&admit=552267591+1097167757084+28353475&docId=200000063210548
All the best
Victor
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-07-2004 05:17 AM
тАО10-07-2004 05:17 AM
Solution# vi /etc/ftpd/ftpaccess
guestgroup
#
If user you created belongs to group ftpgroup then add the following entry to ftpaccess file
guestgroup ftpgroup
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-07-2004 12:39 PM
тАО10-07-2004 12:39 PM
Re: Securing ftp access
1. Create a bogus shell like /usr/bin/ftponly - just put a message in there in case he tries to login on server: Create a group, like "ftpgroup" and put him in it.
Example bogus shell:
#!/bin/sh
/usr/bin/cat << XX
***********************************************************************************************
* ACCESS DENIED: You may use FTP, but you may not login with this account! *
***********************************************************************************************
XX
/usr/bin/sleep 5
2. Edit (or create) /etc/shells that looks like this (make sure that it includes your bogus shell) :
/usr/bin/sh
/sbin/sh
/usr/bin/ksh
/usr/bin/csh
/usr/bin/ftponly
3. For true "restricted" ftp accounts, Edit user in /etc/passwd with vipw:
(These accounts will not have a regular shell, so they cannot telnet.)
Change the home directory entry to put the "root" level that you want this user to be able see on one side of a period (.)
The other side of the period is where he intially lands (relative to the new "root") in when he ftps to the server.
Example:
ftpuser:jo/469sTHoYRQ:105:101:ftp account,,,:/opt/apache/ftpdir/./:/usr/bin/ftponly
Do NOT forget the trailing "/" just before the separating "." between the directories above.
4. For "restricted" ftp accounts, you also need to create or edit /ftpd/ftpaccess
(See ftpaccess manpage for mind-boggling details.)
Example /etc/ftpd/ftpaccess:
class all real,guest *
guestgroup www ftpgroup
upload * * yes * * 0775 dirs
My understanding of the above:
# defines a "class" of all, real, and anything starting with guest*
# defines 2 "guestgroup" "groupnames," called "www" and "ftpgroup" --- if an ftp user is a REAL /etc/passwd account AND the user belongs to one of these groups, then their ftp session is treated just like anonymous ftp. If a user is in one of these groups they cannot cd to anything outside of their home directory, cannot change user, or password, etc.
# allow "upload" access to any directory, ownership group will be those of the ftp user, directories may be created
When you setup a user like this, the user acts just like an anonymous ftp account. So, ftpd does a chroot to the selected directory. However, no files, libraries, etc that are outside this restricted piece of the file system are available anymore to this user. So commands like ls won't work anymore. To just get ls working, you need to create a local usr/bin under the new "root" directory. Change the permissions on these dirs to 555 - owned by root. Then copy /sbin/ls into the new usr/bin and chown to root and chmod 111 on the ls executable.
5. Put ANY (restricted or not) logins that you do NOT want to ftp in /etc/ftpd/ftpusers.
Hint: use the following command to create the file (NO ONE on this list will be able to ftp):
cat /etc/passwd | awk -F: '{print $1}' > /etc/ftpd/ftpusers
Then remove those users that you DO want to ftp from ftpusers.
6, Setup the ftpd entry in inetd.conf like this:
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -a
(note: ftpaccess file must exist!)
(The ftpd -a tells the daemon to access the /etc/ftpd/ftpaccess configuration file.)
7. Restart inetd like this inetd -c (works on hp-ux).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-07-2004 08:23 PM
тАО10-07-2004 08:23 PM
Re: Securing ftp access
You hit the nail on the head. I had put newgroup ftponly at the bottom of the ftpaccess file rather than guestgroup newgroup.
Thanks for the notes, Mike. I will go thru' them & see what I missed.
Points awarded,
Thanks for all replies
Tim