Re: Restrict FTP user to a directory tree (NOT anonymous login)

steven_nospam at Yahoo! Canada wrote:
Hi,

I have been researching the FTP logins and using anonymous logins for
FTP transfers, but I have been having a bit of trouble getting a
non-anonymous FTP login working proeprly so that the user cannot simply
cd to another directory out of their directory tree and see files
there.

A user with an local user account and password should be able to see
what he/she is allowed if using local login.


When I use the anonymous user, it issues the chroot to keep the user
pinned in a particular directory tree. I tried to use the
/etc/ftpaccess.ctl file to add another user called "privxfer" but it
does not seem to handle the chroot properly. When I am in the account,
I can cd up and see all users in the /home directory. (Maybe my
permissions on the dirs are wrong?)

From IBM:

Security Concerns with Anonymous FTP:
When creating anonymous ftp users and directories please be
sure that
the home directory for users ftp, anonymous (ie. /home/ftp) and
any
-->->>> defined users from /etc/ftpaccess.ctl <<<<<----
is owned by root and does not allow write permissions (ie.
dr-xr-xr-x). The
script /usr/lpp/tcpip/samples/anon.ftp can be used to create
the
user ftp accounts, files and directories. The script
/usr/lpp/tcpip/samples/anon.users.ftp can be used to create the
defined anonymous (from /etc/ftpaccess.ctl) user accounts,
files
and directories.

You might like to read
http://www16.boulder.ibm.com/pseries/en_US/cmds/aixcmds2/ftpd.htm to
setup an anoymous user which has an local account. But the password
will not be used.



What I am trying to accomplish (using standard AIX FTP, not a freeware
or add-on) is to see if I can create a login for a user that needs a
password (not anonymous) which cannot migrate up from the starting
directory I give them. They can read or write files all they want
within that structure, just not let them go anywhere else.

Have you fiddeling with the readline, writeline .. within the
ftpaccess.ctl ? ( Without using the userline of cource )



I saw an option for /etc/ftpchroot file on another UNIX flavor, but it
seems AIX does not support this, or am I just not using it right?
I have never heard of somethin like an ftpchroot file on AIX

hth
Hajo

.

Relevant Pages

  • Re: How many CALs do I need?
    ... > FTP Server: Box will have FTP. ... > 1 login name and password that everyone would share. ... > Secure Web Pages: Our website will have a 'secure' section that you must ... > logging in at any given time, but it will all be under the same account ...
    (microsoft.public.windows.server.sbs)
  • How many CALs do I need?
    ... FTP Server: Box will have FTP. ... login name and password that everyone would share. ... Secure Web Pages: Our website will have a 'secure' section that you must ... logging in at any given time, but it will all be under the same account ...
    (microsoft.public.windows.server.sbs)
  • Re: Only an ftp account
    ... > login and use FTP? ... Shell interpeters, sendmail, and virtually all the ... Obvious he/she has no way to login. ... account you don't need it. ...
    (FreeBSD-Security)
  • Re: IIS 6.0 FTP
    ... Server port: 21. ... I doubt IIS FTP has such feature. ... next, general 530 error indicating login failed, that could due to ... clients are using an order entry program created in Microsoft access. ...
    (microsoft.public.inetserver.iis.ftp)
  • FTP user procedure
    ... I'm quite new to AIX systems and would create a simple ... ftp account to transfer files to and from my server. ... created a new user account with his ... The user's groups are: ftp, ...
    (comp.unix.aix)