From Wiki-UX.info

Wiki-UX / File Transfer Protocol / How to setup restricted ftp
Jump to: navigation, search

How to setup restricted ftp

Abstract

This article explains how to configure restricted ftp access on HP-UX 11i Operating Environment.

Contents


Background

What if you want your users to authenticate themselves, but not have access to a login prompt and you don't want them to have the ability to explore the system outside their own directory. This would be a restricted FTP user.

In the following example, a user called bob is created. When creating a restricted FTP user, the steps are almost identical for setting up anonymous FTP.

1. Add a system group called ftponly in the /etc/group file.

# groupadd ftponly

2. Create a new user bob who is a member of the ftponly group. The shell for this user should be /usr/bin/false. The restricted FTP user has 2 portions in their home directory field of the /etc/passwd file.

The first portion represents what will become this user's root (/). The second portion is the directory they will automatically be placed in when they open the ftp session.

In the following example, bob will actually be in /home/bob but to bob it will only look like /. When a ftp session is establish with the user bob, it will be placed in /pub. This is really /home/bob/pub.

# grep bob /etc/passwd
bob:(password):802:108:,,,:/home/bob/./pub/:/usr/bin/false

3. Create the directory structure. This is identical to that of anonymous FTP except it will have a different owner on the "pub" directory.


Directory Owner Group Mode
/home/bob Root other 555
/home/bob/dist Root other 555
/home/bob/etc Root other 555
/home/bob/pub
(Only if needed)
Bob ftponly or other 755 or 1733
(default 777)
/home/bob/usr Root other 555
/home/bob/usr/bin Root other 555


4. Copy /sbin/ls into the restricted FTP user's /usr/bin directory.

# cp /sbin/ls /home/bob/usr/bin/ls


5. Copy /etc/passwd and /etc/group into the restricted FTP user's /etc directory.

# cp /etc/passwd /home/bob/etc/passwd
# cp /etc/group /home/bob/etc/group

6. Edit the copied passwd file so that only root and the user's ID is listed. If the system is not trusted, replace the hashed password with a "*".

7. Edit the copied group file so that only other and ftponly are listed.

8. Make sure the false shell is listed in /etc/shells.

/usr/bin/sh
/sbin/sh
/usr/bin/false


9. Double check the permissions on the directories and files:

# ll -d /home/bob
dr-xr-xr-x   6 root  other  1024 Apr  4 08:45 /home/bob
 
# ll -R /home/bob
total 0
dr-xr-xr-x   2 root  other           96 Apr  4 08:21 dist
dr-xr-xr-x   2 root  other           96 Apr  4 09:13 etc
drwxr-xr-x   2 bob   ftponly         96 Apr  4 08:20 pub
dr-xr-xr-x   3 root  other           96 Apr  4 08:18 usr
 
home/bob/dist:
total 0
 
/home/bob/etc:
total 4
-r--r--r--   1 root  other           46 Apr  4 09:13 group
-r--r--r--   1 root  other           77 Apr  4 08:46 passwd
 
/home/bob/pub:
total 0
 
/home/bob/usr:
total 0
dr-xr-xr-x   2 root  other           96 Apr  4 08:38 bin
 
/home/bob/usr/bin:
total 560
-r-xr-xr-x   1 root  other       286720 Apr  4 08:38 ls

10. If the entry in inetd.conf is not already using the ftpaccess file, update it so that it look like:

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -a etc/ftpd/ftpaccess

Remember to force inetd to re-read the config file (inetd -c).

11. If you don't have a /etc/ftpd/ftpgroups file, create one.

# touch /etc/ftpd/ftpgroups

Edit the ftpaccess file to make sure a line is included that points to the same group name you assigned to your restricted FTP user:

12. Specify which group of users will be treated as "guests". guestgroup ftponly

Optionally, change the logging settings to include guest users in the ftpaccess file. The restricted FTP user is considered a guest user.

log commands real,guest
log transfers anonymous,real,guest inbound,outbound

Let's give it a try:

ftp testbox
Connected to testbox.somedomain.com.
220 testbox.somedomain.com FTP server (Version 1.1.214.4(PHNE_23950) Tue May 22 05:49
:01 GMT 2001) ready.
Name (ctg700:root): bob
331 Password required for bob.
Password:
230 User bob logged in.  Access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/pub" is current directory.
ftp> cd ./
250 CWD command successful.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /usr/bin/ls.
total 0
dr-xr-xr-x   2 root  other           96 Apr  4 08:21 dist
dr-xr-xr-x   2 root  other           96 Apr  4 09:13 etc
drwxr-xr-x   2 bob   ftponly         96 Apr  4 08:20 pub
dr-xr-xr-x   3 root  other           96 Apr  4 08:18 usr
226 Transfer complete.
ftp> cd pub
250 CWD command successful.
ftp> put myfile
200 PORT command successful.
150 Opening BINARY mode data connection for myfile.
226 Transfer complete.
16 bytes sent in 0.00 seconds (56.61 Kbytes/s)
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /usr/bin/ls.
total 2
-rw-r-----   1 bob        ftponly         16 Apr  4 09:27 myfile
226 Transfer complete.
ftp>

Authors

This page was last modified on 3 August 2010, at 03:32. This page has been accessed 2,200 times.