Restrict FTP user to a directory tree (NOT anonymous login)
steven_nospam at Yahoo! Canada
I have been researching the FTP logins and using anonymous logins for
FTP transfers, but I have been having a bit of trouble getting a
non-anonymous FTP login working proeprly so that the user cannot simply
cd to another directory out of their directory tree and see files
there.
When I use the anonymous user, it issues the chroot to keep the user
pinned in a particular directory tree. I tried to use the
/etc/ftpaccess.ctl file to add another user called "privxfer" but it
does not seem to handle the chroot properly. When I am in the account,
I can cd up and see all users in the /home directory. (Maybe my
permissions on the dirs are wrong?)
What I am trying to accomplish (using standard AIX FTP, not a freeware
or add-on) is to see if I can create a login for a user that needs a
password (not anonymous) which cannot migrate up from the starting
directory I give them. They can read or write files all they want
within that structure, just not let them go anywhere else.
I saw an option for /etc/ftpchroot file on another UNIX flavor, but it
seems AIX does not support this, or am I just not using it right?
If anyone has some sample setups for this type of setup, it would be
appreciated. This is mostly for my own knowledge as I can certainly go
get wu_ftp or some other product, but want to see how IBM's software
would handle it on its own.
Thx.
Steve
Hajo Ehlers
> Hi,
>
> I have been researching the FTP logins and using anonymous logins for
> FTP transfers, but I have been having a bit of trouble getting a
> non-anonymous FTP login working proeprly so that the user cannot simply
> cd to another directory out of their directory tree and see files
> there.
A user with an local user account and password should be able to see
what he/she is allowed if using local login.
>
> When I use the anonymous user, it issues the chroot to keep the user
> pinned in a particular directory tree. I tried to use the
> /etc/ftpaccess.ctl file to add another user called "privxfer" but it
> does not seem to handle the chroot properly. When I am in the account,
> I can cd up and see all users in the /home directory. (Maybe my
> permissions on the dirs are wrong?)
>From IBM:
Security Concerns with Anonymous FTP:
When creating anonymous ftp users and directories please be
sure that
the home directory for users ftp, anonymous (ie. /home/ftp) and
any
-->->>> defined users from /etc/ftpaccess.ctl <<<<<----
is owned by root and does not allow write permissions (ie.
dr-xr-xr-x). The
script /usr/lpp/tcpip/samples/anon.ftp can be used to create
the
user ftp accounts, files and directories. The script
/usr/lpp/tcpip/samples/anon.users.ftp can be used to create the
defined anonymous (from /etc/ftpaccess.ctl) user accounts,
files
and directories.
You might like to read
http://www16.boulder.ibm.com/pseries/en_US/cmds/aixcmds2/ftpd.htm to
setup an anoymous user which has an local account. But the password
will not be used.
>
> What I am trying to accomplish (using standard AIX FTP, not a freeware
> or add-on) is to see if I can create a login for a user that needs a
> password (not anonymous) which cannot migrate up from the starting
> directory I give them. They can read or write files all they want
> within that structure, just not let them go anywhere else.
Have you fiddeling with the readline, writeline .. within the
ftpaccess.ctl ? ( Without using the userline of cource )
>
> I saw an option for /etc/ftpchroot file on another UNIX flavor, but it
> seems AIX does not support this, or am I just not using it right?
I have never heard of somethin like an ftpchroot file on AIX
hth
Hajo
steven_nospam at Yahoo! Canada
Yes, I already tried what you suggested and it did not seem to work.
Here is what I did so far:
Ran the /usr/samples/tcpip/anon.ftp to create a user "anonymou" and
"ftp". When I login as anonymous, I get the normal behaviour from an
anonymous login...in other words you are stuck in the directory it gave
you and won't allow you to "cd .." up to a higher level. Here is an
example:
--------------------------------------------
ftp ftptest
Connected to ftptest.sample.com.
220 ftptest FTP server (Version 4.1 Sat Sep 7 14:31:53 CDT 2002) ready.
Name (ftptest:root): anonymous
331 Guest login ok, send ident as password.
Password:
230 Guest login ok, access restrictions apply.
ftp> ls
200 PORT command successful.
150 Opening data connection for ..
.profile
bin
etc
pub
lib
dev
usr
226 Transfer complete.
ftp> cd ..
250 CWD command successful.
ftp> ls
200 PORT command successful.
150 Opening data connection for ..
.profile
bin
etc
pub
lib
dev
usr
226 Transfer complete.
--------------------------------------------
Next, I created a user called "privxfer" and tried to set up the same
way as ftp or anonymous, but the restrictions did not appy because this
is a standard user, not a special anonymous user. I was able to use "cd
.." and move up one directory and ls to see other users home
directories.
I then created the /etc/ftpaccess.ctl file to try and tell AIX that the
user "privxfer" is actually a password-protected anonymous user. Again
logged in and same scenario occurred: could cd.. up one and see
directories I don't want people to see.
Went back in and edited the /etc/ftpaccess.ctl to add the readwrite:
entry. According to ftpd man pages "...If a readwrite: line is
specified, only directories listed in the readwrite: line and/or listed
in the readonly: line are granted access for reading, AND only
directories listed in the readwrite: line and/or listed in the
writeonly: line are granted access for writing..."
So here is my ftpaccess.ctl contents:
puseronly:privxfer
motd:off
readwrite:/home/privxfer
As suggested, I created the subdirectories of bin, etc, and pub just
like in the anonymous ftp home directory, with just ls command set to
chmod 111.
After all this, I tried again and sure enough still had the ability to
cd up one directory and see other home directories. See below:
--------------------------------------------
ftp ftptest
Connected to ftptest.sample.com.
220 ftptest FTP server (Version 4.1 Sat Sep 7 14:31:53 CDT 2002) ready.
Name (ftptest:root): privxfer
331 Password required for privxfer.
Password:
230-Last unsuccessful login: Tue Mar 7 13:46:32 EST 2006 on /dev/pts/1
from myhost.sample.com
230-Last login: Tue Mar 7 13:58:35 EST 2006 on ftp from
myhost.sample.com
230 User privxfer logged in.
ftp> ls
200 PORT command successful.
150 Opening data connection for ..
.profile
.sh_history
bin
etc
pub
lib
dev
usr
226 Transfer complete.
ftp> cd ..
250 CWD command successful.
ftp> ls
200 PORT command successful.
150 Opening data connection for ..
lost+found
test
reguser
admuser
ftp
test1
test2
test5
test6
root
privxfer
anonymou
226 Transfer complete.
ftp> quit
221 Goodbye.
--------------------------------------------
These are my permissions for the parent directories to reach the
privxfer user:
drwxr-xr-x 33 root system 1024 Mar 07 13:40 /
drwxr-sr-x 44 bin bin 1024 Mar 07 13:43 /home
dr-xr-sr-x 8 root staff 512 Mar 07 11:35 /home/ftp
dr-xr-xr-x 8 root staff 512 Mar 07 14:00 /home/privxfer
oslevel
5.1.0.0
Anyway, gonna keep messing around and see what can be accomplished.
Will let you know if I get anything working as it seems this question
has been asked a few times before in the AIX groups but I have not seen
a suitable answer yet. Most people just said "...why don't you just use
a third-party product like wu_ftp?" Unfortunately, to me that does not
really answer the issue, since there should be way to do this properly
native to AIX, especially now that IBM is trying to meet POSIX and
LINUX standards in AIX 5L.
Steve
Dmitri Pasyutin
wrote:
[...]
> If anyone has some sample setups for this type of setup, it
> would be appreciated. This is mostly for my own knowledge as I
> can certainly go get wu_ftp or some other product, but want to
> see how IBM's software would handle it on its own.
The standard FTP daemon provides only the "plain vanilla"
implementation of FTP. This is true for other UNIX flavours as
well. A normal shell account is able to see the contents
of /home, /etc or anything else he can chdir to. Standard FTP
behaves the same way for non-anonymous logins. So if you want
fancy features like chroot, then, as you say, replace the
standard FTP daemon by an alternative (wu_ftp, proftpd, ...).
Dmitri
Hajo Ehlers
just a short reply.
I did a test on our AIX 5.1 system. What i could see( using truss on
the ftpd process ) is that the ftpd did not used the
/etc/ftpaccess.ctl file. Could it be that this file is only used from
AIX 5.2 and afterwards ?
cu
Hajo
steven_nospam at Yahoo! Canada
I just tested it on AIX 5.2 ML1 and it did the same thing for me. The
/etc/ftpaccess.ctl does not seem to be used at all. I tried with 644
and 600 settings just in case it behaves like the .netrc file or
hosts.equiv, but no luck.
I guess this is why everyone uses the wu_ftpd or proftpd - lol
Steve
steven_nospam at Yahoo! Canada
Set up the file with the line below:
readwrite:/home/ftp
With this in place and no other lines, the FTP service will return
errors if you try to use mput to drop a file onto the system in any
folder other than /home/ftp. However, you can still cd around to
different directories and ls to show the directory contents. The
readwrite: line only affects the get and put operations. I have to
learn to rtf man pages....
rcee
Even we also had the same problem. For that we did a small work around.
You can create a user ( normal user ) and make his shell as /bin/rsh .
Make his home directory owned by the id, which normally will be
and anything outside that directory change the permission so that he
cannot even view it.
Make is owned by root . So he won;t be able to do cd . this to some
extent will provide the functionality which you need.
Let me know if that is successful or not.
steven_nospam at Yahoo! Canada
I tried something similar to that but in my case I am not allowed to
change the parent directory permissions.
- I created a directory called /ftp with permissions 511 and owner
root:system
- Next, created a user "ftpuser" as member and set home directory to
/ftp/ftpuser, shell=/usr/bin/Rsh,
- Used the structure from anonymous user to put the bin, lib, pub
directories in place with correct permissions.
When I tried to access, I got in and when I did the " cd .. " I did an
ls and I saw no files. This would have been fine for me - let them
access the directories but not see filenames. However, the minute you
go to root (/) or into a directory like /etc or /tmp you can see files
again since these do not have the restricted 511 permissions.
Changing the settings all over the system may work if all you are doing
is using it for these FTP setups, but there are some third-party
products and relational databases on our production system where we
wanted to use FTP, and I am concerned that the wrong permission
settings will cause problems with these products.
So it appears that we will just go ahead and check out wu_ftp or
proftpd. Thanks all for the suggestions.
Steve
rcee
root.
by the way how are you going to get these third party softwares
installed. Are all these going to be compiled again. Do these sources
are acceptable.
On our case , the security guidelines doesn't allow you to install any
third party softwares.
Was there any other workaround others implemented
Thx
RC
steven_nospam at Yahoo! Canada
"technically" a third party product but supplied by IBM on their
website. (Of course Java is technically a third-party product from Sun
but we still install it from the IBM AIX CDROMs so I am not overly
concerned.)
The software is installed using the rpm.rte module on IBM's AIX
website. IBM supplies the version that is correctly compiled for AIX so
there is no recompiling necessary.
The only workaround I received was from Chris on this thread:
http://groups.google.ca/group/comp.unix.aix/browse_thread/thread/8b4e343fdfb2bd9e/?hl=en#
He had suggested using a variation of the standard anonymous login.
That works to some extent, but it does not validate the password. What
I want (essentially) is an FTP login that REQUIRES a specific password,
and then restricts that user to their home directory once logged in.
Steve