Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Restricted FTP - is it possible ?

Posted on 1997-07-03
6
Medium Priority
?
440 Views
Last Modified: 2013-12-23
Hi,

    The problem I'm trying to solve is giving a customer of ours access via
    ftp to only one directory, and restricting him from doing anything
    besides down- and up-loading to that single directory (I was thinking of
    an anonymous FTP that requires a username/password to login, living
    within a Rsh account, as a possible solution. However, anonymous FTP
    that requires a username seems like a contradiction in term).

If this problem is
solvable , what I'd really like to do is
restrict the customer to two directories - one where he can download only
and one where he can upload only.

The system I need the solution on is Dec Unix 3.2c

Thanks,
Ron.
0
Comment
Question by:ronbarak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 

Expert Comment

by:case051397
ID: 1582189
Here we go:
1. make a new group in /etc/group, like "ftpusers"
2. let your ftp users be of group "ftpusers"
3. set up the home directory for the users like
   foo:xyz:10000:ftpusers:/home/stuff/foo/ftpdir:/sbin/nologin *)
   in /etc/passwd
   *) - instead of a "nologin" /dev/null works also
4. now the tricky stuff
   - it's important that foo's homedir is not just
     /home/stuff/foo
     and also not
     /home/foo    or /home/foo/ftpdir
     but
     /home/stuff/foo/ftpdir
   - make this directory
     chown foo ftpdir
     and
     chgrp nobody ftpdir   <- that means: NOT ftpusers!!!
   - make the file permissions for this directory
     chmod 770 ftpdir
   - make /home/stuff/foo
     chown nobody foo
     chgrp nogroup foo
   - make the file permissions for this directory
     chmod 754 foo

So, if you did a "ls -al" in /home/stuff/foo/ftpdir,
you should get the following output:

drwxrwx---  2 foo    nogroup  (...)   .
drwxr-xr--  1 nobody nogroup  (...)   ..
-rw-r-----  1 foo    ftpusers (...)   archive.tar.gz

Of course, the last one's permissions depend on your
/etc/ftpaccess settings.

The only stupid thing about this solution is that
foo can't get the working directory with "pwd".

This solution should work with WU-ftpd (at least,
here it does).

0
 

Author Comment

by:ronbarak
ID: 1582190
Hi Case,
I followed your suggestions, but, though now telnet is regected for the ftpuser account, so is ftp. When the user tries to ftp he gets:

530 User ftpuser access denied.
Login failed.

Seems, that (on Dec Unix 3.2 at least) setting /sbin/nologin in the /etc/passwd file - blocks the user compleatly.

Ideas ?

Bye,
Ron.
0
 

Expert Comment

by:case051397
ID: 1582191
Hi, Ronbarak,

sorry, my fault: to gain ftp access, the last
entry in /etc/passwd has to be a "valid" shell.

That means, this last entry has to meet at least
one and depending on the Un*x version, two points:

1st: the shell has to be kind of an executable
       file. "kind of": /dev/null isn't _that_
       executable, is it? :) So, if you don't
       have such a /some-path/nologin binary,
       simply use /dev/null.

2nd: try to "grep" for "bin/sh" in your /etc
       directory. Since I am not the Dec guru,
       I can only give you a hint that comes
       from SunOS/Solaris/BSD/Linux: There is
       a file called /etc/shells that lists
       all "valid" shells. If the shell field
       in /etc/passwd isn't in that file, user
       cannot telnet, ftp or the like ("access
       denied"). Check for this or something
       like that. Maybe a "man passwd" can tell
       you more.

Success!
0
Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

 

Author Comment

by:ronbarak
ID: 1582192
Hi Case,
I added /usr/bin/Rsh as the user's shell (ant it is in /etc/shells). However, now the situation is much worse:
The user can telnet to the machine, but - get to "/" as it's home dir with the message:

No directory!
Logging in with home = "/".

and, when ftping, he cam move freely in the file system, and get whichever files are available.

Seems we're back to square one ?

Bye,
Ron.
0
 

Expert Comment

by:case051397
ID: 1582193
Are you using WU-ftpd?
0
 
LVL 4

Accepted Solution

by:
rembo earned 400 total points
ID: 1582194


I would recommend the approach of doing a chroot in the login
for anonymous ftp.  Create the directory structure in a
subdirectory, then do a chroot to the subdirectory and the
user will only be able to move around in there.

You can do one of two things.  You can specify a script
in the /etc/passwd file that does a chdir, a chroot and
then execs a shell or you can do it in the .login.  Obviously,
the passwd route is more secure.  This will restrict the
user to only working inside the area you've put him in.

-Tony


0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question