Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Limit FTP access

Status
Not open for further replies.
LedZepRock

LedZepRock

MIS
Feb 20, 2002
265
GB
Hi

We have a Netra T1 Sun Solaris. We have some users accessing FTP on this machine. Is there a way to stop them at a set level of the tree, ie there FTP home directory is /home/bob I would really like Bob to not go any further down the tree than /home/bob, currently you can back all the way to root and then into directorys like /etc. They can't do any harm in the directorys, but I would rather them not be able to see them.

Thanks, Simon
 
Sort by date Sort by votes
I believe you could use groups to accomplish this.
Just change the group permissions for the
directories that you don't want bob to see.
He would then get a "permission denied" error
when trying to cd into lower level directories.
Add valid users to a group that has access
to the lower level directories.
Robert G. Jordan
Unix Sys Admin
Sleepy Hollow, Illinois U.S.A.
sh.gif


FREE Unix Scripts
 
Upvote 0 Downvote
One way to solve this problem is:

give the user a restricted shell (for example /usr/lib/rsh; this is not the same as the remote shell /usr/bin/rsh).

Then you have to create a file /etc/shells (if it does not exist yet) where you have to put in every login shell with which "ftp" is allowed (i.e. if the user with the restricted shell is the only ftp user then the only entry is: /usr/lib/rsh. If you have another user with the Korn shell as login shell and this user should be able to "ftp" then you have to add the Korn shell as well).

In addition if you want to give the user some rights in his home dir (in this example I want that the user is able to do a "ls" command), then you can do the following:

$ mkdir /usr/rbin
$ cd /usr/rbin; ln -s /usr/bin/ls ls
Then insert the following in the user's .profile:
PATH=/usr/rbin

I hope that is the answer to your question

mrjazz
 
Upvote 0 Downvote
One further remark which I forgot earlier: [dazed]

Why the restricted shell?

It does not allow you to do a "cd .." any more.

And I think that is what you don't want the user to do.
 
Upvote 0 Downvote
Hi

Ta for the info, but I have the following points.

If I changed the group rights, I would need to change every right on the whole machine? that sounds like I may cause myself more trouble!! I may have this wrong but if I used

chmod -R 770 /

as root

I am going to change every directory on the whole machine to only root or roots group can see the directorys, just seems a bit harsh.

The shell bit, the user has 2 directorys in & out, as they need to pickup data and drop it back in when processed, so unless I create 2 seperate users I would require the CD command.

Simon
 
Upvote 0 Downvote
Why do you want to do a recursive chmod from / ?
You are getting into big trouble if you do so (as a non-root user you basically can't do anything any more after that!).

Can't you create two directories under the ftp users home dir (in, out)? Then you don't need two seperate users.

mrjazz
 
Upvote 0 Downvote
I don't want to, that was my point, what I was saying was that to stop the user CDing back, changing all the rights on the machine would require that chmod command.

I have set up the /home with /home/in & /home/out and currently I have a single user that can move between both directorys. but if I user the restricted shell as recomended above, then how could the user change between the in & out directorys??

Simon
 
Upvote 0 Downvote
The solution could be the following:

give the ftp user the possibility to execute a "cp" command. Then after the files have been processed he can "cp" the files in the "out" directory. Or does this user have to "cd" in the "out" dir as well (then we've got a problem...)?
 
Upvote 0 Downvote
Well funny as it goes, this machine is not one of are many Suns, it turns out to be a Linux box. You know what its like with TELNET, it all looks much the same. Anyway I check one of our Suns and it does not have the ftpaccess file but linux has it, in that file you add guestgroup <user group> then you add to the passwd file this

<user>:<password>:/home/bob/./:<bash bit>

the /./ makes the users root /bob they then can not go lower that bob, works really well, but it uses guest rights so you have to amend them in the ftpaccess files. only problem is when you connect with a FTP client rather that DOS you don't see any files, even with passive on. I will go and post this error in the Linux forum.

Thanks for all your help.

Simon
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

TrippleDuce
  • Locked
  • Question
Limiting access to SFTP and limiting directory access
Replies
1
Views
79
xkjdhdg
xkjdhdg
Mauric
  • Locked
  • Question
Sol 9 - Prob.with FTP logon - 530 Login Incorect
Replies
1
Views
137
xkjdhdg
xkjdhdg
Hawki
  • Locked
  • Question
Sun Ultra 60 O/S 10 Need to Access the Internet
Replies
1
Views
92
new2sol
new2sol
alberton
  • Locked
  • Question
FTP Help 2
Replies
15
Views
205
armylogman
armylogman
ady2007
  • Locked
  • Question
create files on specified directory with right access 775
Replies
4
Views
85
Annihilannic
Annihilannic

Part and Inventory Search

Sponsor

Back
Top