Solved

Restricted FTP - is it possible ?

Posted on 1997-07-03
6
429 Views
Last Modified: 2013-12-23
Hi,

    The problem I'm trying to solve is giving a customer of ours access via
    ftp to only one directory, and restricting him from doing anything
    besides down- and up-loading to that single directory (I was thinking of
    an anonymous FTP that requires a username/password to login, living
    within a Rsh account, as a possible solution. However, anonymous FTP
    that requires a username seems like a contradiction in term).

If this problem is
solvable , what I'd really like to do is
restrict the customer to two directories - one where he can download only
and one where he can upload only.

The system I need the solution on is Dec Unix 3.2c

Thanks,
Ron.
0
Comment
Question by:ronbarak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 

Expert Comment

by:case051397
ID: 1582189
Here we go:
1. make a new group in /etc/group, like "ftpusers"
2. let your ftp users be of group "ftpusers"
3. set up the home directory for the users like
   foo:xyz:10000:ftpusers:/home/stuff/foo/ftpdir:/sbin/nologin *)
   in /etc/passwd
   *) - instead of a "nologin" /dev/null works also
4. now the tricky stuff
   - it's important that foo's homedir is not just
     /home/stuff/foo
     and also not
     /home/foo    or /home/foo/ftpdir
     but
     /home/stuff/foo/ftpdir
   - make this directory
     chown foo ftpdir
     and
     chgrp nobody ftpdir   <- that means: NOT ftpusers!!!
   - make the file permissions for this directory
     chmod 770 ftpdir
   - make /home/stuff/foo
     chown nobody foo
     chgrp nogroup foo
   - make the file permissions for this directory
     chmod 754 foo

So, if you did a "ls -al" in /home/stuff/foo/ftpdir,
you should get the following output:

drwxrwx---  2 foo    nogroup  (...)   .
drwxr-xr--  1 nobody nogroup  (...)   ..
-rw-r-----  1 foo    ftpusers (...)   archive.tar.gz

Of course, the last one's permissions depend on your
/etc/ftpaccess settings.

The only stupid thing about this solution is that
foo can't get the working directory with "pwd".

This solution should work with WU-ftpd (at least,
here it does).

0
 

Author Comment

by:ronbarak
ID: 1582190
Hi Case,
I followed your suggestions, but, though now telnet is regected for the ftpuser account, so is ftp. When the user tries to ftp he gets:

530 User ftpuser access denied.
Login failed.

Seems, that (on Dec Unix 3.2 at least) setting /sbin/nologin in the /etc/passwd file - blocks the user compleatly.

Ideas ?

Bye,
Ron.
0
 

Expert Comment

by:case051397
ID: 1582191
Hi, Ronbarak,

sorry, my fault: to gain ftp access, the last
entry in /etc/passwd has to be a "valid" shell.

That means, this last entry has to meet at least
one and depending on the Un*x version, two points:

1st: the shell has to be kind of an executable
       file. "kind of": /dev/null isn't _that_
       executable, is it? :) So, if you don't
       have such a /some-path/nologin binary,
       simply use /dev/null.

2nd: try to "grep" for "bin/sh" in your /etc
       directory. Since I am not the Dec guru,
       I can only give you a hint that comes
       from SunOS/Solaris/BSD/Linux: There is
       a file called /etc/shells that lists
       all "valid" shells. If the shell field
       in /etc/passwd isn't in that file, user
       cannot telnet, ftp or the like ("access
       denied"). Check for this or something
       like that. Maybe a "man passwd" can tell
       you more.

Success!
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 

Author Comment

by:ronbarak
ID: 1582192
Hi Case,
I added /usr/bin/Rsh as the user's shell (ant it is in /etc/shells). However, now the situation is much worse:
The user can telnet to the machine, but - get to "/" as it's home dir with the message:

No directory!
Logging in with home = "/".

and, when ftping, he cam move freely in the file system, and get whichever files are available.

Seems we're back to square one ?

Bye,
Ron.
0
 

Expert Comment

by:case051397
ID: 1582193
Are you using WU-ftpd?
0
 
LVL 4

Accepted Solution

by:
rembo earned 200 total points
ID: 1582194


I would recommend the approach of doing a chroot in the login
for anonymous ftp.  Create the directory structure in a
subdirectory, then do a chroot to the subdirectory and the
user will only be able to move around in there.

You can do one of two things.  You can specify a script
in the /etc/passwd file that does a chdir, a chroot and
then execs a shell or you can do it in the .login.  Obviously,
the passwd route is more secure.  This will restrict the
user to only working inside the area you've put him in.

-Tony


0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s list some of the technologies that enable smooth teleworking. 
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question