How to create a new UNIX user that can only FTP to a specific directory

Download / install proftp which allows a chrooted environment, there are plenty of docs about if you get stuck. Here's a good article http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Chroot.html

Thanks, but I don't want to change FTP servers.

In fact, the reason I need to create this user is to allow an outside person to test something related to this FTP server.  

You can use restricted shell to prevent user from doing cd or any other command ou want to restrict.

to do this, assigne for the user the restricted shell in the /etc/passwd
the shell is "/usr/lib/rsh "

Then, set the path variable of the user to some directory assume /home/resCommands
and remove all other paths

in this directory make links to the commands you want the user to be able to excute. " may be ls for example"

To check the advantages of the restricted shell please refer to the man pages rsh(1M)

Using these settings the user will be able to ftp to his own directory, but will not be able to do 'cd'
Hope this will help you, any more clarifications please ask

Regards
Waleed Saber

I think I understand.  But it seems that the FTP server would issue the "cd" operation internally -- by calling the C function chdir() -- in which case the restricted shell does not seem applicable.

if you insist on Solaris' ftpd, then you need to setup a directory which only has acces for that specific user, using basic filesystem permissions with chmod.
Unfortunately, you cannot restrict cd .. this way, so best you start at / with that directory.
You need to remove r and x bits for "world" from all other directories.
Not a nice job to do ... I'd switch the ftpd

Could you set them up as an "anonymous ftp" user?  Anonymous ftp prevents telnet access & locks them into the ftp user home directory so they can cd to subdirectories but can't go above their "root" (home) directory;  (I believe ftpd handles this as a special case if the userid is "ftp" or "anonymous")

See the man page for ftpd, which gives all the setup details.

The downside is that anyone can connect to to anonymous ftp account...

to prevent telnet access, simply set the shell in /etc/passwd to /bin/false (or even /bin/true)

There is a way (of course) even if you don't want to have the user in the guest group.
You will need to run a second instance of the ftp server (and possibly inetd) in a chroot jail, listening to a different port (unless no other ftp daemon needs to be running).
If you don't trust the user what so ever, the chroot way could be more safe. There are a few things to consider even then... it's a bit more work, but on the other hand you can shape the jail environment as you want without much impact on the rest of the system.
More details on request ;-)

These changes are beyond my current UNIX abilities.  I'll pass on the several suggestions to my more UNIX-savvy colleagues -- and get back to you with the results.

I had hoped the change was simple -- but it seems that with ftpd, it's not.

BTW, the problem I'm trying to address is with my router -- behind which my  FTP client is running -- which is connecting to the Solaris machine running ftpd.  

The performance when using the router is terrible, but fine without it.  In fact,  when transferring 100 small files, it fails roughly every dozen files.  I want the router manufacturer to see the problem, but don't want to allow access to any other part of the system -- just enough to test FTP transfers.  The problem doesn't occur with Windows FTP servers -- and also not with some other servers.  That's why I want them to connect to this server and to connect to ftpd.

I see.
While waiting for your "UNIX-savvy" colleagues to lookup from behind their terminals... :-)

Can you describe how the router is attached to the network?
- Is the router part of
- Is the server "behind" the router only topology-wise? (e.g. could you switch IP network on the server without moving the network cord to another swith?)
- Are the switches attached to the router configured with a fixed speed and duplex? (and if so, is the router interfaces configured the same?)
- Is both switch port and Solaris machine NIC configured with a fixed speed and duplex?

You could also enable some more logging by adding the -dl switches to the server command line in inetd.conf (make sure syslog saves "debug" messages - see man page for in.ftpd and syslog.conf)
Hopefully you'll see what the ftp server thinks is wrong, and that may help you trouble shooting the issue further.

Not long ago we had problems uploading to a ftp server, actually several servers, (Solaris 8) at regular interval.. The servers were configured exactly the same, and located in the same network segment, so naturally "they" blamed the server configuration...it turned out to be a faulty client (a java program in this case). So it could be that different clients are more "suited" to work towards a certain server as well. Have you tried other clients?

/b

I know this doesn't help here, but for info: Solaris 9 (& HP-UX 11) support chrooted non-anonymous ftp access - See man page for ftpaccess(4) as well as `man ftpd`

The router/switch is a 4-port Compex NP16A connected to an ADSL modem.

The same problem occurs with several FTP clients.  About 10-12 files are transferred -- then "Can't build data connection: Connection refused".

The problem does not occur when the router is removed.

The problem does not occur when connecting to a Windows FTP server.

The Compex router has an optional firewall capability, so it's possible its blocking the port that the Solaris server is trying to send data to the client through (Which would give that error message);  Though I can't see why it should work for a few files and then fail OR why Windows machines should work.  You may find these links useful:

http://www.sunhelp.org/pipermail/sunhelp/2001-July/011973.html 
http://slacksite.com/other/ftp.html
http://www.cpx.com/prodimages/NP16A.PDF

The NP16A manual says the firewall keeps a log, which might tell you what is being blocked & why.  It also implies it does packet content checking, which might also explain why it works for a bit and then stops...

The firewall is disabled (because there are more serious problems when it's  enabled).  I hope to address them after this problem is resolved.

Thanks for the links.

Ok, so I assume that one of the reasons you are using the router/firewall is to have more than one host accessing your ADSL line using the routers NAT features?

NAT requires session managment capabilities, and such require 'memory' and probably more specificly hash tables.
FTP protocol needs special handling in the NAT device, since the server connects back to the client. So depending on whether your client uses ACTIVE och PASSIVE mode the router will be more or less involved.
In ACTIVE mode the client will send control data towards port 21 on the server, and when data is requested the server will connect back to the client _from_ port 20 to whatever port the client has opened for data transfers (usually SRCport+1)
Hence the NAT device must snoop the FTP control channel to see what port the client wants to open, and dynamically open this port back to the client.
In PASSIVE mode it's always the client that initiates the connections also for data transfers, hence the connection will be handled as any other outbound connection.

Since we/you already know that the router makes all the difference, so I would guess that also the transfer mode differs when you connect to the NT server vs the Sun server, and that's why you don't see the problem for some servers.
Could you try to force the mode to passive in the client and see if that makes it better?
If it does the problem with the router is probably a limited hash table for the FTP protocol "fixup".

Yes, the main reason for the router is to share an internet connection -- although nearly all traffic is via one computer.

Yes -- I've tested this with several FTP clients.

FTP clients that support the passive mode are able to recover the "connection refused" error (see log below).  But that fact raises several questions and issues:

1.   When connecting to a Windows FTP server with a client that does NOT support passive mode (e.g., the command line client that comes with Windows, or older versions of ws_ftp), there are no transfer problems.

2.   When using a client that does support passive mode, the transfers are much slower when passive mode is forced on.

3.   Even in active mode, it seems that a router should be able transfer any number of files.  I.e., the files are small -- they are being transferred sequentially (not concurrently) and there is no other significant network traffic.

If the answer to point 3 is "yes", given the amount of trouble I'm having just communicating this point to Compex (their software engineers are in Singapore),  can anyone suggest another router and/or router manufacturer that provides better performance and support?  My requirements are 3+ wired ports, wireless access, serial port for backup modem dialup, SPI firewall.

(P.S.  Thanks for addressing this somewhat off-topic part of this problem.)


-- log fragment (first failure occurred after about 12 successful file transfers)  --
transferred 165 bytes in 3.124 seconds, 422.469 Bps ( 52.809 Bps), transfer succeeded.
PORT 192,168,168,102,9,240
200 PORT command successful.
STOR a063
425 Can't build data connection: Connection refused.
PASV
227 Entering Passive Mode (195,173,48,236,224,158)
connecting data channel to 195.173.48.236:224,158(57502)
data channel connected to 195.173.48.236:224,158(57502)
STOR a063
150 Binary data connection for a063 (69.104.100.21,4250).
226 Transfer complete.

Yes I would expect virtually any number of sequential files should pass through both ways for even the cheapest device.
Though for some reason the server reports connection refused, so there is something causing the router (or some other device in the path) to reject the connection.

Not that I think I'll solve your problem from here, but speculating about possible scenarios may some times come close to the real issue or at least have someone decline them :-)
Say that the router has a built in limit for how many simultaneous data transfers can be active for a given client-server pair. Even though you are transferring in sequence, the connection for each transfer may still be open as far as the router is concerned. The router may be programmed to close/clear the connection state table only when it sees RST packets from both server and client, or after Timeout seconds. If so if either the server misbehaves, or is fronted by a firewall that does, that may be what is really causing the problem. It's also possible that the router expects to see some acknowledgment in the FTP control channel before closing the connection.
Analyzing and comparing some network traffic between the Solaris and NT transfers may give further input for speculation.

Not that the description say to address such a problem, but still - is this patch applied?
http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=110646&rev=05

I use an old PC with linux to do my routing and firewalling.
You can't beat that if you are into doing-it-yourself. :-)

hello all,

could someone here help me to solve original problem from this thread please?
i have a solaris 5.8 box, i want restrict access of ftp user so they can move (change directory) beyond their own home directory. and i don't want to install any 3rd party ftp server.
Thank you in advanced.