Solved

Restricted FTP - is it possible ?

Posted on 1997-07-03
6
411 Views
Last Modified: 2013-12-23
Hi,

    The problem I'm trying to solve is giving a customer of ours access via
    ftp to only one directory, and restricting him from doing anything
    besides down- and up-loading to that single directory (I was thinking of
    an anonymous FTP that requires a username/password to login, living
    within a Rsh account, as a possible solution. However, anonymous FTP
    that requires a username seems like a contradiction in term).

If this problem is
solvable , what I'd really like to do is
restrict the customer to two directories - one where he can download only
and one where he can upload only.

The system I need the solution on is Dec Unix 3.2c

Thanks,
Ron.
0
Comment
Question by:ronbarak
  • 3
  • 2
6 Comments
 

Expert Comment

by:case051397
ID: 1582189
Here we go:
1. make a new group in /etc/group, like "ftpusers"
2. let your ftp users be of group "ftpusers"
3. set up the home directory for the users like
   foo:xyz:10000:ftpusers:/home/stuff/foo/ftpdir:/sbin/nologin *)
   in /etc/passwd
   *) - instead of a "nologin" /dev/null works also
4. now the tricky stuff
   - it's important that foo's homedir is not just
     /home/stuff/foo
     and also not
     /home/foo    or /home/foo/ftpdir
     but
     /home/stuff/foo/ftpdir
   - make this directory
     chown foo ftpdir
     and
     chgrp nobody ftpdir   <- that means: NOT ftpusers!!!
   - make the file permissions for this directory
     chmod 770 ftpdir
   - make /home/stuff/foo
     chown nobody foo
     chgrp nogroup foo
   - make the file permissions for this directory
     chmod 754 foo

So, if you did a "ls -al" in /home/stuff/foo/ftpdir,
you should get the following output:

drwxrwx---  2 foo    nogroup  (...)   .
drwxr-xr--  1 nobody nogroup  (...)   ..
-rw-r-----  1 foo    ftpusers (...)   archive.tar.gz

Of course, the last one's permissions depend on your
/etc/ftpaccess settings.

The only stupid thing about this solution is that
foo can't get the working directory with "pwd".

This solution should work with WU-ftpd (at least,
here it does).

0
 

Author Comment

by:ronbarak
ID: 1582190
Hi Case,
I followed your suggestions, but, though now telnet is regected for the ftpuser account, so is ftp. When the user tries to ftp he gets:

530 User ftpuser access denied.
Login failed.

Seems, that (on Dec Unix 3.2 at least) setting /sbin/nologin in the /etc/passwd file - blocks the user compleatly.

Ideas ?

Bye,
Ron.
0
 

Expert Comment

by:case051397
ID: 1582191
Hi, Ronbarak,

sorry, my fault: to gain ftp access, the last
entry in /etc/passwd has to be a "valid" shell.

That means, this last entry has to meet at least
one and depending on the Un*x version, two points:

1st: the shell has to be kind of an executable
       file. "kind of": /dev/null isn't _that_
       executable, is it? :) So, if you don't
       have such a /some-path/nologin binary,
       simply use /dev/null.

2nd: try to "grep" for "bin/sh" in your /etc
       directory. Since I am not the Dec guru,
       I can only give you a hint that comes
       from SunOS/Solaris/BSD/Linux: There is
       a file called /etc/shells that lists
       all "valid" shells. If the shell field
       in /etc/passwd isn't in that file, user
       cannot telnet, ftp or the like ("access
       denied"). Check for this or something
       like that. Maybe a "man passwd" can tell
       you more.

Success!
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:ronbarak
ID: 1582192
Hi Case,
I added /usr/bin/Rsh as the user's shell (ant it is in /etc/shells). However, now the situation is much worse:
The user can telnet to the machine, but - get to "/" as it's home dir with the message:

No directory!
Logging in with home = "/".

and, when ftping, he cam move freely in the file system, and get whichever files are available.

Seems we're back to square one ?

Bye,
Ron.
0
 

Expert Comment

by:case051397
ID: 1582193
Are you using WU-ftpd?
0
 
LVL 4

Accepted Solution

by:
rembo earned 200 total points
ID: 1582194


I would recommend the approach of doing a chroot in the login
for anonymous ftp.  Create the directory structure in a
subdirectory, then do a chroot to the subdirectory and the
user will only be able to move around in there.

You can do one of two things.  You can specify a script
in the /etc/passwd file that does a chdir, a chroot and
then execs a shell or you can do it in the .login.  Obviously,
the passwd route is more secure.  This will restrict the
user to only working inside the area you've put him in.

-Tony


0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

30 Experts available now in Live!

Get 1:1 Help Now