I have one for all of you AIX guru's out there -
We have recently taken on a vendor who needs FTP-Put access to a directory on our UNIX server in order to send invoice confirmation files to us. Setting up the basic FTP service on our server was no problem but now I have an issue with security. The directory they need to access is /pro/pronto/edi/in/berger - this is the ONLY directory they need to place files in. I have their user home directory set to /pro/pronto/edi/in so when the session is initated - that's their default directory. The problem is they can cd to any other directory on the system from their with a standard FTP client and that's not a good thing. I can't mess up the security permissions for this directory structure or it will break other functions as well. ANY ideas would be VERY appreciated.
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Hi kaesm,
It sounds like you want/need to set up the FTP server so that it forces the client to a particular directory tree using chroot.
Here's a man page on the FTP server daemon. It's probably not detailed enough to get you through configuring the server, but it has a lot of good information. Read through it and see if it offers the kind of protection that you need.
http://resin.csoft.net/cgi
I'll be glad to help you set up the server.
Kent
I have some question of your requirement
"The problem is they can cd to any other directory on the system from their with a standard FTP client and that's not a good thing. I can't mess up the security permissions for this directory structure or it will break other functions as well. ANY ideas would be VERY appreciated"
My question
1. Why do you allow the ftp user access another directory as it is not allowed
2. This is not an ftp issue and this is related to security setup of your installation. Do you allow a telnet session cd to a secure directory and remove files? Of course not and same to ftp users.
The general practicse
Restrict the read/write authority of the fto userid. The ftp userid cannot cd another directory but it doesn't have read/write access authority to other directory other than /pro/pronto/edi/in.
Q
CPC2004
While your observations may seem simple to those experienced in AIX admin they are not to me. Had this been a Windows FTP server - none of this would have even been an issue. There are too many other users who need access to the parent directories to lock them down and not conflict with the other users/programs abilities. I guess what I am trying to say is that I'm not sure how to accomplish what you are suggesting. I've actually tried what you have suggested and only managed to create issue for the developer who is writing the program that all of this is being based on.
KDO
What you have suggested describes what I need to accomplish. Maybe it would be better to set this up using a different directory structure and restrict access to only those folders. Create a /ftp directory as the root ftp directory and construct the tree from there. My understanding of chroot is that it applies to the anonymous users. Can that principle be applied to the specific ftp user I have set up and/or the ftpuser group as well?
Cheers!
MK
Hi MK,
There are actually a lot of things to decide here. Have you read the IBM documentation page on setting up the FTP server?
It's online here:
http://publib.boulder.ibm.
In addition to the chroot(1) performed for user 'anonymous', AIX will also let you define directories as read-only, write-only, read-write, or off-limits.
Kent
Kent,
This is getting me closer to my final destination.
I have an ftp structure configured with /home/ftp set as the root directory when you use the anonymous login. You cannot see the "real" root directory or anything else out of the ./ftp structure. Great - fantastic - exactly what I wanted. If I login using the vendors user account - I can cd anwhere I want. That's a bad thing. Now I just need to get the secure vendor account to behave exactly as the anonymous one does. I have looked at the document noted above but it doesn't prevent the user from migrating where every they desire.
MK
Hi MK,
Cool. We're on the right track. :)
Regarding security, is your user base fairly stable or do you add/delete users fairly often. Also, do you want to allow FTP access for only a small set of users or all/most users?
My thinking here is that if the user base is fairly stable, you can simply add the users that aren't allow FTP access to the /etc/ftpusers file. If you add/delete users fairly often, it can be a pain to keep the files in sync. But a small shell script will do that for you. Start a cron job that runs periodically. If the passwd file has changed, it generates the /etc/ftpusers file. (Of course, this is a backup process as your sysadmin will, of course, run this script every time he adds/deletes a user.)
Last, define the "regular" user that has ftp access in the /etc/ftpaccess.ctl file. This forces AIX/FTP to treat the user as an anonymous account and perform a chroot(1). This may or may not provide the total effect that you want, but it's a starting point.
Kent
Our user base is more or less stable. Like many systems - it does have it's moments of change though. And there are really only a handfull of users that I want to give FTP access to anyway. I'm not sure if the system is reading the ftpaccess.ctl file I've already created or not. It doesn't seem to be. What should the command line be in the inetd for the ftp daemon be so that it reads this file? I'm looking into setting up Proftp as an alternative but I haven't been able to find an rpm package that will install. All of the "affinity" stuff is working as I've installed other rpm packages with no drama.
Matt
That's the command to refresh a subsystem not a subserver. What I have read thus far is to refresh inetd which does what you are refering to. I've actually gone so far as to stop/start the ftpd server via SMIT but that didn't change anything either. I've added the following lines to ftpaccess.ctl;
allow:ftpuser1,ftpuser2,ft
useronly:ftpuser1
We're are reaching critical mass with this from a time perspective so I may do a windows ftp server as a bridge until I can get the UNIX one working correctly.
I've discovered a number dependancies that are not installed for proftpd to work and will need to set that up first. For now - I have locked down the process via our firewall so that it's restricted by IP and FTP-PUT only. They can see the directories but cannot open or view anything. Not the best but it will get this working for now. In the mean time - I'm going to keep working on this. Thanks for everyone's help and if you have anymore suggestions, feel free...
Cheers,
MK
you can fetch bff from www.bullfreeware.com
Business Accounts
Answer for Membership
by: cpc2004Posted on 2005-04-15 at 17:33:31ID: 13795741
Most FTP site use userid anoymous for ftp get and put. They use directory read and write access to enforce security. Unless you use ssh sftp otherwise it is impossible to enforce ftp security.