Solved

Restricted FTP - is it possible ?

Posted on 1997-07-03
6
434 Views
Last Modified: 2013-12-23
Hi,

    The problem I'm trying to solve is giving a customer of ours access via
    ftp to only one directory, and restricting him from doing anything
    besides down- and up-loading to that single directory (I was thinking of
    an anonymous FTP that requires a username/password to login, living
    within a Rsh account, as a possible solution. However, anonymous FTP
    that requires a username seems like a contradiction in term).

If this problem is
solvable , what I'd really like to do is
restrict the customer to two directories - one where he can download only
and one where he can upload only.

The system I need the solution on is Dec Unix 3.2c

Thanks,
Ron.
0
Comment
Question by:ronbarak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 

Expert Comment

by:case051397
ID: 1582189
Here we go:
1. make a new group in /etc/group, like "ftpusers"
2. let your ftp users be of group "ftpusers"
3. set up the home directory for the users like
   foo:xyz:10000:ftpusers:/home/stuff/foo/ftpdir:/sbin/nologin *)
   in /etc/passwd
   *) - instead of a "nologin" /dev/null works also
4. now the tricky stuff
   - it's important that foo's homedir is not just
     /home/stuff/foo
     and also not
     /home/foo    or /home/foo/ftpdir
     but
     /home/stuff/foo/ftpdir
   - make this directory
     chown foo ftpdir
     and
     chgrp nobody ftpdir   <- that means: NOT ftpusers!!!
   - make the file permissions for this directory
     chmod 770 ftpdir
   - make /home/stuff/foo
     chown nobody foo
     chgrp nogroup foo
   - make the file permissions for this directory
     chmod 754 foo

So, if you did a "ls -al" in /home/stuff/foo/ftpdir,
you should get the following output:

drwxrwx---  2 foo    nogroup  (...)   .
drwxr-xr--  1 nobody nogroup  (...)   ..
-rw-r-----  1 foo    ftpusers (...)   archive.tar.gz

Of course, the last one's permissions depend on your
/etc/ftpaccess settings.

The only stupid thing about this solution is that
foo can't get the working directory with "pwd".

This solution should work with WU-ftpd (at least,
here it does).

0
 

Author Comment

by:ronbarak
ID: 1582190
Hi Case,
I followed your suggestions, but, though now telnet is regected for the ftpuser account, so is ftp. When the user tries to ftp he gets:

530 User ftpuser access denied.
Login failed.

Seems, that (on Dec Unix 3.2 at least) setting /sbin/nologin in the /etc/passwd file - blocks the user compleatly.

Ideas ?

Bye,
Ron.
0
 

Expert Comment

by:case051397
ID: 1582191
Hi, Ronbarak,

sorry, my fault: to gain ftp access, the last
entry in /etc/passwd has to be a "valid" shell.

That means, this last entry has to meet at least
one and depending on the Un*x version, two points:

1st: the shell has to be kind of an executable
       file. "kind of": /dev/null isn't _that_
       executable, is it? :) So, if you don't
       have such a /some-path/nologin binary,
       simply use /dev/null.

2nd: try to "grep" for "bin/sh" in your /etc
       directory. Since I am not the Dec guru,
       I can only give you a hint that comes
       from SunOS/Solaris/BSD/Linux: There is
       a file called /etc/shells that lists
       all "valid" shells. If the shell field
       in /etc/passwd isn't in that file, user
       cannot telnet, ftp or the like ("access
       denied"). Check for this or something
       like that. Maybe a "man passwd" can tell
       you more.

Success!
0
Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

 

Author Comment

by:ronbarak
ID: 1582192
Hi Case,
I added /usr/bin/Rsh as the user's shell (ant it is in /etc/shells). However, now the situation is much worse:
The user can telnet to the machine, but - get to "/" as it's home dir with the message:

No directory!
Logging in with home = "/".

and, when ftping, he cam move freely in the file system, and get whichever files are available.

Seems we're back to square one ?

Bye,
Ron.
0
 

Expert Comment

by:case051397
ID: 1582193
Are you using WU-ftpd?
0
 
LVL 4

Accepted Solution

by:
rembo earned 200 total points
ID: 1582194


I would recommend the approach of doing a chroot in the login
for anonymous ftp.  Create the directory structure in a
subdirectory, then do a chroot to the subdirectory and the
user will only be able to move around in there.

You can do one of two things.  You can specify a script
in the /etc/passwd file that does a chdir, a chroot and
then execs a shell or you can do it in the .login.  Obviously,
the passwd route is more secure.  This will restrict the
user to only working inside the area you've put him in.

-Tony


0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This program is used to assist in finding and resolving common problems with wireless connections.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses
Course of the Month3 days, 17 hours left to enroll

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question