From: Muthyam Reddy (MREDDY@JOY.COM)
Date: Tue Dec 02 2003 - 16:07:54 EST
** High Priority **
I got these steps to limit FTP user from aix-mailing list.....it works fine.
Yu can make few modifications based on requirements.
Below are the steps Yu need to do
1. Create a non-administrative group called ftp
2. Create a user named ftp. The only things that need
to be set are the user name (ftp), login user (false),
user can rlogin (false), another user can SU to user (false),home
directory (/u/ftp), and primary group (ftp). Setting these attributes to
false makes that user available or ftp's only. Everything else is
your option such as max CPU, max file size, etc...
The home directory can really be anything, for example /u/ftp
3. \# mkdir /u/ftp/bin /u/ftp/etc /u/ftp/pub
4. \# cp /bin/ls /u/ftp/bin
\# chmod 111 /u/ftp/bin/ls
\# chmod 111 /u/ftp/bin
\# chown root /u/ftp/bin
The 4th step sets up /u/ftp/bin: Make a copy of the ls
program, make sure ls can't be changed, make directory execute-only, and
make sure root owns the directory.
5. \# sed -e 's/:[\^:]*:/:*:/' /etc/passwd > /u/ftp/etc/passwd
\# sed -e 's/:[\^:]*:/:*:/' /etc/group > /u/ftp/etc/group
\# chmod 444 /u/ftp/etc/*
\# chmod 111 /u/ftp/etc
\# chown root /u/ftp/etc
The 5th step sets up /u/ftp/etc: Make a copy of /etc/passwd
with all passwords changed to asterisks, make a copy of /etc/group,
make sure files in etc are not writeable, make directory execute-only, and
make sure root owns the directory.
6. \# chmod 1777 /u/ftp/pub
\# chown ftp /u/ftp/pub
\# chgrp ftp /u/ftp/pub
The 6th step sets up /u/ftp/pub: Make directory writeable by
anyone and make sure ftp owns the directory.
7. \# chmod 555 /u/ftp
\# chown root /u/ftp
Step 7 secures the ftp directory.
pub is the directory set aside for users to put and get
files to and from in /home directory /u/ftp.
With this setup, anyone logged in as ftp in an ftp session will perceive
/u/ftp as '/'. In other words, nothing exists to that user lower in the
tree than /u/ftp. The user can only see files (with the current setup) in
/u/ftp/bin, /u/ftp/lib, and /u/ftp/pub. These will appear to the user as
/bin, /lib, and /pub respectively.
This account can also be accessed with the "anonymous" account. The user HAS
to be named ftp or anonymous.
>>> LewisC@AAFES.COM 12/02/03 02:48PM >>>
I am trying to determine the best way to restrict a users access with FTP. I only want them to be able to get files from one particular directory and not be able to cd anywhere else on the system.
Any suggestions?
Tks
Tina Lewis
Army and Air Force Exchange Service
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This electronic mail transmission contains information from Joy Mining Machinery
which is confidential, and is intended only for the use of the proper addressee.
If you are not the intended recipient, please notify us immediately at the return
address on this transmission, or by telephone at (724) 779-4500, and delete
this message and any attachments from your system. Unauthorized use, copying,
disclosing, distributing, or taking any action in reliance on the contents of
this transmission is strictly prohibited and may be unlawful.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
<<privacy>>
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:17:23 EDT