ITEM: H1399L
Security question on a "restricted ftp account"
Question:
We have an account on our system that is for ftp purposes only.
Login has been disabled. Users can still su to the account. We
would like to further restrict things so that users can only ftp in
and out of a specific directory, and they should not be able to cd to
other directories, etc.
Response:
NOTE: ftp does not really provide the function of not being able to
do a 'cd'. The following solution allows the ftp user to 'cd' in a
certain range. The user can not go outside of /u/ftp or above (i. e.
user can't go to /u or actual /; also can't go to $HOME of another
user, etc...)
NOTE: If the customer does not want users to su to the ftp account,
the "Another user can SU ..." attribute in SMIT can be set to false.
There are other attributes, ( "login user" and "user can rlogin") that
can also be set to false so that this account can ONLY be ftp'ed to
(i. e. users will not be able to use rlogin, telnet, or su).
There is a way to restrict that user to USING one directory for ftp
activity. Below are the steps that were followed to accomplish what
the customer wanted.
1. Create a non-administrative group called ftp
2. Create a user named ftp. The only things that need
to be set are the user name (ftp), login user (false),
user can rlogin (false), another user can SU to user (false),
home directory (/u/ftp), and primary group (ftp). Everything
else is your option such as max CPU, max file size, etc...
* The home directory can really be anything, /u/ftp was
convenient.
* Setting these attributes to false makes that user available
for ftp's only.
3. \# mkdir ~ftp/bin ~ftp/etc ~ftp/pub
4. \# cp /bin/ls ~ftp/bin
\# chmod 111 ~ftp/bin/ls
\# chmod 111 ~ftp/bin
\# chown root ~ftp/bin
* The 4th step sets up ~ftp/bin: Make a copy of the ls program, make
sure ls can't be changed, make directory execute-only, and make sure root
owns the directory.
5. \# sed -e 's/:[\^:]*:/:*:/' /etc/passwd > ~ftp/etc/passwd
\# sed -e 's/:[\^:]*:/:*:/' /etc/group > ~ftp/etc/group
\# chmod 444 ~ftp/etc/*
\# chmod 111 ~ftp/etc
\# chown root ~ftp/etc
* The 5th step sets up ~ftp/etc: Make a copy of /etc/passwd with all
passwords changed to asterisks, make a copy of /etc/group, make sure
files in etc are not writeable, make directory execute-only, and make
sure root owns the directory.
6. \# chmod 1777 ~ftp/pub
\# chown ftp ~ftp/pub
\# chgrp ftp ~ftp/pub
* The 6th step sets up ~ftp/pub: Make directory writeable by anyone and
make sure ftp owns the directory.
7. \# chmod 555 ~ftp
\# chown root ~ftp
* Step 7 secures the ftp directory.
* pub is the directory set aside for users to put and get files to and
from.
* ~ftp is $HOME directory.
With this setup, anyone logged in as ftp in an ftp session will
perceive /u/ftp as '/'. In other words, nothing exists to that user
lower in the tree than /u/ftp. The user can only see files (with the
current setup) in /u/ftp/bin, /u/ftp/lib, and /u/ftp/pub. These will
appear to the user as /bin, /lib, and /pub respectively.
* This account can also be accessed with the "anonymous" account.
NOTE: There is also a script that will set anonymous ftp up for you.
This script is called anon.ftp and is located in the
/usr/lpp/tcpip/samples directory.
Question:
Does the user account have to be named ftp or anonymous?
Response:
After testing, we found that the user HAS to be named ftp or anonymous.
Setting up a test user the exact way I did the ftp and anonymous proved
the user was still able to change directories outside of the specified
range.
Customer worried that this would not allow her to tell who was doing
what. However, when setting up these accounts and specifying passwords,
the system did not care about the passwd and would take any string of
characters. There is a message that is displayed after you type in the
user name (ftp/anonymous) it is as follows:
331 Guest login ok, send ident as password.
This suggests that the user types in his/her name for the password.
There is a file that records the ftp/anonymous passwords and gives you
information as to what happened during that particular session.
To set this up, do the following:
In the /etc/syslog.conf file add the following:
daemon.info /tmp/syslog.ftpd.out
* Name and place of the file is your choice. This file may need to
already exist; do this by >/filepathname
In the /etc/inetd.conf file:
Place the '-l' flag after the "ftpd" command:
ftp stream tcp nowait root /etc/ftpd ftpd -l
Execute:
refresh -s syslogd
refresh -s inetd
The logfile (/tmp/syslog.ftpd.out) will have entries like:
*) Normal User
Mar 7 18:28:22 cali ftpd[11163]: FTP LOGIN FROM machine_name, user_name
Notice that the password is not recorded since it will breech
security.
*) Anonymous FTP User
Mar 7 18:29:41 cali ftpd[11169]: ANONYMOUS FTP LOGIN FROM machine_name,
great
Notice the password of great was recorded for the anonymous login.
The following is another sample entry from the /tmp/syslog.ftpd.out file:
Mar 8 15:36:30 cali ftpd[12287]: connection from machine_name at Tue
Mar 8 15:36:30 1994
Mar 8 15:36:42 cali ftpd[12287]: ANONYMOUS FTP LOGIN FROM machine_name, hithere
Mar 8 15:36:44 cali ftpd[12287]: FTPD: EXPORT file local , remote
Mar 8 15:37:18 cali ftpd[12287]: FTPD: IMPORT file local tester, remote
Mar 8 15:37:23 cali ftpd[12287]: FTPD: EXPORT file local , remote tester2
* I ftp'ed to the machine cali using the ANONYMOUS account (could also use the ftp
account) and used hithere as my passwd.
(1) issued 'ls': EXPORT file local
(2) put the file tester (put tester)
(3) got the file tester2 (get tester2)
(4) exited
* You will see that the entries from the file contains the information as to
what command were run for that particular ftp session.
You could also issue the following command:
who -a /var/adm/wtmp
It would give you information such as the following:
ftp x ftp12287 Mar 08 15:36 ? 12287 machine_name
. x ftp12287 Mar 08 15:37 ? 12287
It is evident that it does not contain as much information as the
syslog.ftpd.out file, but it could still be helpful in determining
times, PID numbers, and what machine the ftp user is coming from.
(The ftp is the start time of ftp and . is the stop time.)
Support Line: Security question on a "restricted ftp account" ITEM: H1399L
Dated: March 1994 Category: N/A
This HTML file was generated 99/06/24~13:30:48
Comments or suggestions?
Contact us