How to restrict access for ftp users 1

[mitchymartell]

I have a need for users to transfer files to a ftp server which is running AIX 4.1.5. I need to restrict their access to this server to only being able to copy files to a single directory. I definitely do not want them to be able to cd or shell out or run any of the basic UNIX commands except maybe ls. How do I restrict user's usage like this and also force them to enter a login information to initiate their ftp session ?

 

[sendhilk]

If i understood right u can restrict access to the ftp user to that particular directory only. maybe u can put the user in a group and give access of that group to only that particular directory..

sendhil

 

[bi]

You could probably set up anonymous ftp. This will restrict users to where you want them to go. (However, a power user may be able to find a way out.)

I have done it on a Sun system and have the steps I used, which might be useful as a guide for doing it on an AIX system.

 

[russz]

I'm struggling with the same issue.

Per the O'Relly book "Practical UNIX & Internet Security" pgs. 491-4, I've done the following:
1. User "acme" and group "acme".
2. Logins for acme are disallowed via "smit users".
3. ~acme - owner root:system, perms 550
4. ~acme/bin - owner root, perms. 111, contains a copy of /bin/ls
5. ~acme/etc - owner root, perms. 111, contains a copy of /etc/passwd with only root and acme's entries and /etc/group with only acme's entry.

But, when I ftp to the server and login as acme I can change to /etc and ftp the passwd file.

I want to set it up so the only thing acme can do is a put to ~acme. I'll run a script every 15 minutes to move any files acme puts there.

Any help would be appreciated!

Russell Zimmermann
EYT - LAWSON Development

 

[aixqueen]

Two thoughts....set up a macro on the rs6000 to pull the file from the pc....or other machine.............or setup a macro for a transfer user ...that autologs in grabs file and exits...?

http://www.rs6000.ibm.com/doc_link/en_US/a_doc_lib/aixuser/usrcomm/tcp_xfer.htm

or set up .....
anonymous ftp....

/usr/samples/tcpip/anon.ftp
Contains the example shell script with which to set up an
anonymous FTP account. This file also contains
directions for its use.
or nfs mount a directory only........and let users put their files there?

 

[Thief]

setting up an anonymous ftp is better idea...

 

[russz]

Thanks for the input!

I've printed out /usr/samples/tcpip/anon.ftp and will review it and test it on a development server.

My concern about anonymous ftp is that confidential files will be put on a production server that is outside a firewall so I need to restrict who can connect via ftp and where they can put files.

I'm under the impression with anonymous ftp that anyone may use ftp to connect to the server and put and files in the public directory.

Is it possible to alter the configuration of anonymous ftp so that when Company A uses ftp to login they're stuck in a "CompanyAfiles" directory that they can't get out of and all they can do is puts and gets. And, then when Company B ftps to the server they're stuck in a "CompanyBfiles" directory, etc...?

Russell Zimmermann
EYT - LAWSON Development