Solved

Restricted FTP - is it possible ?

Posted on 1997-07-03
6
404 Views
Last Modified: 2013-12-23
Hi,

    The problem I'm trying to solve is giving a customer of ours access via
    ftp to only one directory, and restricting him from doing anything
    besides down- and up-loading to that single directory (I was thinking of
    an anonymous FTP that requires a username/password to login, living
    within a Rsh account, as a possible solution. However, anonymous FTP
    that requires a username seems like a contradiction in term).

If this problem is
solvable , what I'd really like to do is
restrict the customer to two directories - one where he can download only
and one where he can upload only.

The system I need the solution on is Dec Unix 3.2c

Thanks,
Ron.
0
Comment
Question by:ronbarak
  • 3
  • 2
6 Comments
 

Expert Comment

by:case051397
ID: 1582189
Here we go:
1. make a new group in /etc/group, like "ftpusers"
2. let your ftp users be of group "ftpusers"
3. set up the home directory for the users like
   foo:xyz:10000:ftpusers:/home/stuff/foo/ftpdir:/sbin/nologin *)
   in /etc/passwd
   *) - instead of a "nologin" /dev/null works also
4. now the tricky stuff
   - it's important that foo's homedir is not just
     /home/stuff/foo
     and also not
     /home/foo    or /home/foo/ftpdir
     but
     /home/stuff/foo/ftpdir
   - make this directory
     chown foo ftpdir
     and
     chgrp nobody ftpdir   <- that means: NOT ftpusers!!!
   - make the file permissions for this directory
     chmod 770 ftpdir
   - make /home/stuff/foo
     chown nobody foo
     chgrp nogroup foo
   - make the file permissions for this directory
     chmod 754 foo

So, if you did a "ls -al" in /home/stuff/foo/ftpdir,
you should get the following output:

drwxrwx---  2 foo    nogroup  (...)   .
drwxr-xr--  1 nobody nogroup  (...)   ..
-rw-r-----  1 foo    ftpusers (...)   archive.tar.gz

Of course, the last one's permissions depend on your
/etc/ftpaccess settings.

The only stupid thing about this solution is that
foo can't get the working directory with "pwd".

This solution should work with WU-ftpd (at least,
here it does).

0
 

Author Comment

by:ronbarak
ID: 1582190
Hi Case,
I followed your suggestions, but, though now telnet is regected for the ftpuser account, so is ftp. When the user tries to ftp he gets:

530 User ftpuser access denied.
Login failed.

Seems, that (on Dec Unix 3.2 at least) setting /sbin/nologin in the /etc/passwd file - blocks the user compleatly.

Ideas ?

Bye,
Ron.
0
 

Expert Comment

by:case051397
ID: 1582191
Hi, Ronbarak,

sorry, my fault: to gain ftp access, the last
entry in /etc/passwd has to be a "valid" shell.

That means, this last entry has to meet at least
one and depending on the Un*x version, two points:

1st: the shell has to be kind of an executable
       file. "kind of": /dev/null isn't _that_
       executable, is it? :) So, if you don't
       have such a /some-path/nologin binary,
       simply use /dev/null.

2nd: try to "grep" for "bin/sh" in your /etc
       directory. Since I am not the Dec guru,
       I can only give you a hint that comes
       from SunOS/Solaris/BSD/Linux: There is
       a file called /etc/shells that lists
       all "valid" shells. If the shell field
       in /etc/passwd isn't in that file, user
       cannot telnet, ftp or the like ("access
       denied"). Check for this or something
       like that. Maybe a "man passwd" can tell
       you more.

Success!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:ronbarak
ID: 1582192
Hi Case,
I added /usr/bin/Rsh as the user's shell (ant it is in /etc/shells). However, now the situation is much worse:
The user can telnet to the machine, but - get to "/" as it's home dir with the message:

No directory!
Logging in with home = "/".

and, when ftping, he cam move freely in the file system, and get whichever files are available.

Seems we're back to square one ?

Bye,
Ron.
0
 

Expert Comment

by:case051397
ID: 1582193
Are you using WU-ftpd?
0
 
LVL 4

Accepted Solution

by:
rembo earned 200 total points
ID: 1582194


I would recommend the approach of doing a chroot in the login
for anonymous ftp.  Create the directory structure in a
subdirectory, then do a chroot to the subdirectory and the
user will only be able to move around in there.

You can do one of two things.  You can specify a script
in the /etc/passwd file that does a chdir, a chroot and
then execs a shell or you can do it in the .login.  Obviously,
the passwd route is more secure.  This will restrict the
user to only working inside the area you've put him in.

-Tony


0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now