SUMMARY: FTP question, don't want customers to be able to traver se dir s

From: Sean Harvey (SHarvey@quests.com)
Date: Thu Apr 15 1999 - 11:18:38 CDT


ORIGINAL QUERY:

Dear friends,

>  I want to give selected customers ftp access our system using one of 5
different >accounts. I don't want anonymous ftp. When they log in I
don'twant them to be able >to see anything above the home directory for
thataccount, similar to the way web >pages work. Is this easy to do? It
seemsbasic but I can't figure it out. Can someone >please give me a shove in
the right direction? I've already read the sunmanager FAQ >and man ftpd.
Your wisdom will be greatly appreciated.

Sean

-----------------------------------------------

 

Thanks for all the replies, too numerous for individual acks.  Majority
opinion is to install wu-ftpd.  I have included some interesting replies for
the benefit of anyone interested in this topic.  If you want to do this with
the standard release Solaris ftpd check out Joop's detailed explanation of
using sub-logins!

Sean

 

 

 

ftp server from WUSTL (or almost any ftp server) will do this...

Basically, there are three types of ftp logins:

1. "regular" ftp login, i.e. "I have a Unix login on the box,

and I ftp to that box using my Unix login/passwd"

2. anonymous ftp - self explanatory

3. "guest" ftp login, and that's the type you are looking for.

It uses chroot (so that they can't go beyond their "home").

Read more about this:

http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html

 

 

 

 

i installed wu-ftpd.

then:

create user accounts

on solaris, passwd file entry looks like this:

username:x:UID:GID:Description:/var/spool/ftp/dist/XXXX/./username:/bin/csh

the '.' says they can't go above that point.

then you add username to group1 in group file.

then you chown /var/spool/ftp/dist/XXXX to someone else (administrator),
chgrp it to group1.

then you chmod /var/spool/ftp/dist/XXXX to 710.

chown ~username to username, chgrp it to group2.

chmod 770 ~username.

the administrator should be in group group2.

make sure to create the correct dev/ usr/ etc. files/directories under
/var/spool/ftp/dist/XXXX.

hope that helps,

 

 

 

 

 

 

Sean,

 

You can use anonymous with sub-logins, where only the user who knows the

password for his account will see his files and others cannot see and also

his will be the top most directory when he logs in.

For this you have to first login into anonymous with email ID and again type

the username and the corresponding password to go to his directory.

The below is the way you configure the same

----------------------------------------------------------------------------

------------------------------------------

How to Setup Anonymous FTP sub-logins for Solaris 2.5 and 2.5.1

NOTE: Sub-logins for FTP work under Solaris 2.x ONLY!

Anonymous FTP sub-logins:

- Anonymous ftp sub-logins allow you to configure an anonymous FTP

server, and customize it for different users.

- You can give each user their own home directory and set permissions

on each home directory so that others can't see or transfer files

from within them.

- Sub-logins will prevent all users from going beyond the directory

hierarchy of /export/ftp because anonymous FTP uses the chroot function.

- The user is required to log in twice: once as anonymous and again as

themselves using the "user" command from the FTP prompt.

An example of an Anonymous FTP sub-login:

kakata% ftp kakata

Connected to kakata.

220 kakata FTP server (UNIX(r) System V Release 4.0) ready.

Name (kakata:kimr): anonymous

331 Guest login ok, send ident as password.

Password:

230 Guest login ok, access restrictions apply.

ftp> user precious

331 Password required for precious.

Password:

230 User precious logged in.

ftp> pwd

257 "/precious" is current directory.

ftp> ls

200 PORT command successful.

150 ASCII data connection for /bin/ls (129.151.21.49,41058) (0 bytes).

226 ASCII Transfer complete.

ftp>

To Set Up Sub-logins with anonymous FTP:

1. Set up anonymous FTP as you normally would.

Note: For the following examples, it is assumed that anonymous ftp is

set up in the /export/ftp directory.

2. Add the user to /export/ftp/etc/passwd file.

example:

test3:x:30001:30001:ftp sub-login user:/precious:/bin/false

Note: the home directory is listed as /precious and the shell is

/bin/false(a bogus shell name). If you are using /bin/false as a shell,

remember that it needs to be listed in /export/ftp/etc/shells.

3. Also, add the user to the local /etc/passwd file

Note: This is necessary for Solaris 2.5, 2.5.1 and 2.6 because the

in.ftpd daemon gets the home directory, uid, and shell from the

/etc/passwd or passwd database.

4. Create the home directory for the user in /export/ftp with appropiate

permissions.

Note: Keep in mind that even though the home directory will be in the

/export/ftp directory, as far as ftp knows, /export/ftp is really '/'.

Therefore, the home directory should be listed as /precious in the

/export/ftp/etc/passwd file, but it will really live at

/export/ftp/precious.

Example:

mkdir /export/ftp/precious

chown precious /export/ftp/precious

chmod 755 /export/ftp/precious

5. Create/Edit the /export/ftp/etc/shadow file and add the shadow entry with

the encrypted password( can copy from /etc/shadow file).

Note: If you are running 2.3 or greater, you MUST have the encrypted

passwd

in the shadow file instead of the "x" in the password field.

Example of /export/ftp/etc/shadow entry

precious:LrxyzVVab2c:9561:::::

6. Change the permissions on the ftp/shadow file to 400 and change the owner

on the file to root if it isn't already.

Example:

chmod 400 /export/ftp/etc/shadow

chown root /export/ftp/etc/shadow

7. Create a /export/ftp/etc/shells file and add the shell specified in the

/export/ftp/etc/passwd file.

Example:

/bin/false

Note: Use a non-standard shell so that the user will not be able to log

in

as a regular user

8. Copy the following security libraries:

cd /export/ftp

mkdir usr/lib/security

cp /usr/lib/security/pam_entry.so usr/lib/security/pam_entry.so

mkdir etc/lib

cp /etc/lib/pam_entry.so etc/lib/pam_entry.so

----------------------------------------------------------------------------

---------------------

This should do it!

 

Warm Regards

ROOP KUMAR S S

Microland, India

email : roop@microland.co.in

Tel : 91-80-5710101 / 0203 / 1102 / 1104

Fax: 91-80-5710566

url : www.microland.net

 

 

 

 

 

 

 

in their "home" dir in passwd, put a "." where you want them to see as root

dir.

i.e.

/export/home/custs/quests/./

would prevent you from going above that dir... i.e. your home dir.

this assumes you're using wu-ftpd... do'nt know if it works on regular ftpd.

 

 

 

 

 

 

 

 

 

You can use the wu-ftpd Solaris package that I made. It is

available from the URL in my signature.

Michael Wang

http://www.mindspring.com/~mwang

 

 

 

 

 

 

 

 

 

 

 

 

RHi,

If you visit http://metalab.unc.edu/pub/packages/solaris/sparc/ and

get the proftpd package for your Solaris release then you will find

it's relatively simply to accomplish what you need. We do similar

things here:

<Anonymous /apps/service/red/ftp>

User redadmin

Group service

Umask 002

AllowOverwrite on

AnonRequirePassword on

<Limit READ WRITE DIRS>

AllowAll

</Limit>

</Anonymous>

The above limits redadmin to that directory but lets them have full upload

and download capabilities. The redadmin user exists in /etc/passwd with a

shell of /bin/ftponly, (cp /bin/true /bin/ftponly). Make sure /bin/ftponly

is in /etc/shells.

Proftpd will do buckets more if you have weird needs. My users do

unfortunately :).

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ftp://ftp.vr.net/pub/wu-ftpd/

wu-ftpd Resource Center: http://www.landfield.com/wu-ftpd/

wu-ftpd FAQ: http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html

wu-ftpd list archive: http://www.landfield.com/wu-ftpd/mail-archive/

 

 

Sounds exactly like the "guestgroup" feature implemented in wu-ftpd

(the *W*ashington *U*niversity's *ftp* *d*aemon). Basically a (Unix)

group whose members will have passwords like normal ftp users, but

will be chroot()ed like "anonymous".

Regards,

J. Bern

 

 

 

 

 

 

 

 

 

 

This can be done using an anonymous ftpserver we use called proftpd.

http://www.proftpd.org

It is immensely configurable, and can be setup to allow those 5 users

access to only a certain directory.

Example: user1 logs in and is placed in the directory /ftp/private. This

user can only see files in this directory, and can only traverse

directories inside /ftp/private.

Its a great ftp daemon.

Lee

 

 

 

 

 

 

 

 

 

 

 

I use ncFTPd for that, look at their site, it works GREAT, it does exactly

what you need.

http://www.ncftpd.com <http://www.ncftpd.com>

 



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:18 CDT