Stopping an ftp user from raoming into other directories 1

[jpor]

Hi All,

Apologies if this has already been brought up in another post. But the search facility is down and there is nothing I can see that would help in the FAQ.

I currently administer an AIX 4.3.3 unix box and have been asked to set-up a new user to ftp onto the 4.3.3 box but only be able to access 2 directories and make changes in them. I currently have set up a new user and group and set the directories to this to the new credentials. set up the perms to 700 and the home directory to the first directory. Disabled the remote and normal logins for telnet and terminal login. But I find that the login can still roam. I have investigated the file: ftpaccess.ctl but this looks like it's for use with AIX 5 onwards.

The other directory permissions are set to different users and groups. Any advise would be welcome.

Thanks in advance.


( "To become Wise, first you must ask Questions&quot

 

[ctoman]

Create a File called ftpusers in /etc dir
ex:

ftpusres
root

 

[jpor]

ctoman.

From what I can gather in the desciption in the man pages, this disallows ftp connections for users? Is that right?


( "To become Wise, first you must ask Questions&quot

 

[ctoman]

Yes you are correct

If you get a solution let me know.

thanks!

 

[jpor]

Thanks CTOMAN. I think!?

Anyone else have any more ideas?


( "To become Wise, first you must ask Questions&quot

 

[d3vzero]

Hi Guys,

I dont know of any way, under Aix 4.3.3 using the Aix provided ftpd server process, to chroot (lock to certain directories) an ftp account.

Sometime ago I did have a similar requirement, which I handled via the use of WU-ftp.

I have also seen similar setups using ProFTPD.

You should be able to directory lock users using the chroot functions of either of these free ftp products.

Brgds.

____________________
Sometimes it pays to stay in bed on Monday, rather than spending the rest of the week debuging Mondays code.

 

[jpor]

Hi d3vzero.

Where did you get these from? Are these easy to set-up?

Thanks.


( "To become Wise, first you must ask Questions&quot

 

[columb]

proftpd -

http://www.proftpd.org/

WU-ftp -

http://www.wu-ftpd.org/

Columb Healy
Living with a seeker after the truth is infinitely preferable to living with one who thinks they've found it.

 

[d3vzero]

Hi jpor,

Easy enough.

The following worked for me after extracting the WU-ftp Tar Archive, and cd to its directory.

./configure --enable-paranoid --disable-daemon --sbindir=/usr/local/sbin --datadir=/etc --mandir=/usr/local/man --exec-prefix=/usr/local --with-log-dir=/var/adm/ftp CFLAGS="-g -DAIX -D_LARGE_FILES"

make

make install

vi /etc/inetd.conf

        ftp     stream  tcp6    nowait  root    /usr/sbin/ftpd ftpd -l -t600

                is now to be ...

        ftp     stream  tcp4    nowait  root    /usr/local/sbin/ftpd ftpd -l -t600 -a

refresh -s inetd

mkdir /var/adm/ftp

Now you just need to create your /etc/ftpaccess file and implement a chroot account within it.

All the Best ;-)

____________________
Sometimes it pays to stay in bed on Monday, rather than spending the rest of the week debuging Mondays code.

 

[jpor]

Thanks d3verzo. I have this installed now as per your instructions on a development server. One thing I had to do was copy over the ftpd program from the install directory to /usr/local/sbin This allows me to connect.

Any chance in posting an example ftpaccess file?

Or explain how can set-up the following user to access only /dump_area/userin and /dump_area/userin/userout.

This is in AIX 4.3.3.

Thanks in advance.

( "To become Wise, first you must ask Questions&quot

 

[d3vzero]

Try using this example file to guide you.

# Start of Locked ftplck1 and ftplck2 User Account Definitions.

# Note The following UserIDs should exists in /etc/passwd file.
# ftplck1:!:2020:2020:FTP Inbound User1:/ftp/inbound1/./:/usr/local/bin/noshell
# ftplck2:!:2021:2021:FTP Inbound User2:/ftp/inbound2/./:/usr/local/bin/noshell

guestuser       ftplck1
guestuser       ftplck2

class   normal  real    *
class   lckusr1 guest   *
class   lckusr2 guest   *

defumask 077 lckusr1
defumask 077 lckusr2
defumask 022 normal

noretrieve class=lckusr1 /ftp/inbound1
noretrieve class=lckusr2 /ftp/inbound2
# End of Locked User Account Definitions.

# Define Locked down service for guest and anonymous accounts.
delete          no      guest,anonymous
overwrite       no      guest,anonymous
rename          no      guest,anonymous
chmod           no      guest,anonymous
umask           no      guest,anonymous

# Define normal service for normal accounts.
delete          yes     real
overwrite       yes     real
rename          yes     real
chmod           yes     real
umask           yes     real

# Define simultanious session limits.
limit   lckusr1 10      Any     /etc/msgs/msg.dead
limit   lckusr2 10      Any     /etc/msgs/msg.dead
limit   normal  10      Any     /etc/msgs/msg.dead

# Set greeting to terse to meet security guidelines.
greeting terse

# Setup ftp motd message to meet security guidelines.
message /etc/motd.ftp            login
message .message                cwd=*

# Disable this extra wu-ftp functionality.
compress        no             lckusr1 lckusr2 normal
tar             no             lckusr1 lckusr2 normal

# Setup syslog logging to meet security guidelines.
log syslog
log commands real,guest
log transfers anonymous,guest,real inbound,outbound

shutdown /etc/shutmsg

# sysmail is a sendmail alias.
email sysmail

As well as setting up the accounts, you should also create a "/dev/null" device in their home dir (eg /ftp/inbound1/dev/null).

mkdir /ftp/inbound1/dev
cd /ftp/inbound1/dev
mknod null c 2 2

Enjoy ;-)

____________________
Sometimes it pays to stay in bed on Monday, rather than spending the rest of the week debuging Mondays code.

 

[jpor]

Thanks d3vzero. will have a go.


( "To become Wise, first you must ask Questions&quot