How to setup restricted ftp
This article explains how to configure restricted ftp access on HP-UX 11i Operating Environment.
What if you want your users to authenticate themselves, but not have access to a login prompt and you don't want them to have the ability to explore the system outside their own directory. This would be a restricted FTP user.
In the following example, a user called bob is created. When creating a restricted FTP user, the steps are almost identical for setting up anonymous FTP.
1. Add a system group called ftponly in the /etc/group file.
# groupadd ftponly
2. Create a new user bob who is a member of the ftponly group. The shell for this user should be /usr/bin/false. The restricted FTP user has 2 portions in their home directory field of the /etc/passwd file.
The first portion represents what will become this user's root (/). The second portion is the directory they will automatically be placed in when they open the ftp session.
In the following example, bob will actually be in /home/bob but to bob it will only look like /. When a ftp session is establish with the user bob, it will be placed in /pub. This is really /home/bob/pub.
# grep bob /etc/passwd bob:(password):802:108:,,,:/home/bob/./pub/:/usr/bin/false
3. Create the directory structure. This is identical to that of anonymous FTP except it will have a different owner on the "pub" directory.
(Only if needed)
|Bob||ftponly or other|| 755 or 1733|
4. Copy /sbin/ls into the restricted FTP user's /usr/bin directory.
# cp /sbin/ls /home/bob/usr/bin/ls
5. Copy /etc/passwd and /etc/group into the restricted FTP user's /etc directory.
# cp /etc/passwd /home/bob/etc/passwd # cp /etc/group /home/bob/etc/group
6. Edit the copied passwd file so that only root and the user's ID is listed. If the system is not trusted, replace the hashed password with a "*".
7. Edit the copied group file so that only other and ftponly are listed.
8. Make sure the false shell is listed in /etc/shells.
/usr/bin/sh /sbin/sh /usr/bin/false
9. Double check the permissions on the directories and files:
# ll -d /home/bob dr-xr-xr-x 6 root other 1024 Apr 4 08:45 /home/bob # ll -R /home/bob total 0 dr-xr-xr-x 2 root other 96 Apr 4 08:21 dist dr-xr-xr-x 2 root other 96 Apr 4 09:13 etc drwxr-xr-x 2 bob ftponly 96 Apr 4 08:20 pub dr-xr-xr-x 3 root other 96 Apr 4 08:18 usr home/bob/dist: total 0 /home/bob/etc: total 4 -r--r--r-- 1 root other 46 Apr 4 09:13 group -r--r--r-- 1 root other 77 Apr 4 08:46 passwd /home/bob/pub: total 0 /home/bob/usr: total 0 dr-xr-xr-x 2 root other 96 Apr 4 08:38 bin /home/bob/usr/bin: total 560 -r-xr-xr-x 1 root other 286720 Apr 4 08:38 ls
10. If the entry in inetd.conf is not already using the ftpaccess file, update it so that it look like:
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -a etc/ftpd/ftpaccess
Remember to force inetd to re-read the config file (inetd -c).
11. If you don't have a /etc/ftpd/ftpgroups file, create one.
# touch /etc/ftpd/ftpgroups
Edit the ftpaccess file to make sure a line is included that points to the same group name you assigned to your restricted FTP user:
12. Specify which group of users will be treated as "guests". guestgroup ftponly
Optionally, change the logging settings to include guest users in the ftpaccess file. The restricted FTP user is considered a guest user.
log commands real,guest log transfers anonymous,real,guest inbound,outbound
Let's give it a try:
ftp testbox Connected to testbox.somedomain.com. 220 testbox.somedomain.com FTP server (Version 220.127.116.11(PHNE_23950) Tue May 22 05:49 :01 GMT 2001) ready. Name (ctg700:root): bob 331 Password required for bob. Password: 230 User bob logged in. Access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/pub" is current directory. ftp> cd ./ 250 CWD command successful. ftp> ls 200 PORT command successful. 150 Opening ASCII mode data connection for /usr/bin/ls. total 0 dr-xr-xr-x 2 root other 96 Apr 4 08:21 dist dr-xr-xr-x 2 root other 96 Apr 4 09:13 etc drwxr-xr-x 2 bob ftponly 96 Apr 4 08:20 pub dr-xr-xr-x 3 root other 96 Apr 4 08:18 usr 226 Transfer complete. ftp> cd pub 250 CWD command successful. ftp> put myfile 200 PORT command successful. 150 Opening BINARY mode data connection for myfile. 226 Transfer complete. 16 bytes sent in 0.00 seconds (56.61 Kbytes/s) ftp> ls 200 PORT command successful. 150 Opening ASCII mode data connection for /usr/bin/ls. total 2 -rw-r----- 1 bob ftponly 16 Apr 4 09:27 myfile 226 Transfer complete. ftp>