ORIGINAL QUERY:
Dear friends,
> I want to give selected customers ftp access our system using one of 5
different >accounts. I don't want anonymous ftp. When they log in I
don'twant them to be able >to see anything above the home directory for
thataccount, similar to the way web >pages work. Is this easy to do? It
seemsbasic but I can't figure it out. Can someone >please give me a shove in
the right direction? I've already read the sunmanager FAQ >and man ftpd.
Your wisdom will be greatly appreciated.
Sean
-----------------------------------------------
Thanks for all the replies, too numerous for individual acks. Majority
opinion is to install wu-ftpd. I have included some interesting replies for
the benefit of anyone interested in this topic. If you want to do this with
the standard release Solaris ftpd check out Joop's detailed explanation of
using sub-logins!
Sean
ftp server from WUSTL (or almost any ftp server) will do this...
Basically, there are three types of ftp logins:
1. "regular" ftp login, i.e. "I have a Unix login on the box,
and I ftp to that box using my Unix login/passwd"
2. anonymous ftp - self explanatory
3. "guest" ftp login, and that's the type you are looking for.
It uses chroot (so that they can't go beyond their "home").
Read more about this:
http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html
i installed wu-ftpd.
then:
create user accounts
on solaris, passwd file entry looks like this:
username:x:UID:GID:Description:/var/spool/ftp/dist/XXXX/./username:/bin/csh
the '.' says they can't go above that point.
then you add username to group1 in group file.
then you chown /var/spool/ftp/dist/XXXX to someone else (administrator),
chgrp it to group1.
then you chmod /var/spool/ftp/dist/XXXX to 710.
chown ~username to username, chgrp it to group2.
chmod 770 ~username.
the administrator should be in group group2.
make sure to create the correct dev/ usr/ etc. files/directories under
/var/spool/ftp/dist/XXXX.
hope that helps,
Sean,
You can use anonymous with sub-logins, where only the user who knows the
password for his account will see his files and others cannot see and also
his will be the top most directory when he logs in.
For this you have to first login into anonymous with email ID and again type
the username and the corresponding password to go to his directory.
The below is the way you configure the same
----------------------------------------------------------------------------
------------------------------------------
How to Setup Anonymous FTP sub-logins for Solaris 2.5 and 2.5.1
NOTE: Sub-logins for FTP work under Solaris 2.x ONLY!
Anonymous FTP sub-logins:
- Anonymous ftp sub-logins allow you to configure an anonymous FTP
server, and customize it for different users.
- You can give each user their own home directory and set permissions
on each home directory so that others can't see or transfer files
from within them.
- Sub-logins will prevent all users from going beyond the directory
hierarchy of /export/ftp because anonymous FTP uses the chroot function.
- The user is required to log in twice: once as anonymous and again as
themselves using the "user" command from the FTP prompt.
An example of an Anonymous FTP sub-login:
kakata% ftp kakata
Connected to kakata.
220 kakata FTP server (UNIX(r) System V Release 4.0) ready.
Name (kakata:kimr): anonymous
331 Guest login ok, send ident as password.
Password:
230 Guest login ok, access restrictions apply.
ftp> user precious
331 Password required for precious.
Password:
230 User precious logged in.
ftp> pwd
257 "/precious" is current directory.
ftp> ls
200 PORT command successful.
150 ASCII data connection for /bin/ls (129.151.21.49,41058) (0 bytes).
226 ASCII Transfer complete.
ftp>
To Set Up Sub-logins with anonymous FTP:
1. Set up anonymous FTP as you normally would.
Note: For the following examples, it is assumed that anonymous ftp is
set up in the /export/ftp directory.
2. Add the user to /export/ftp/etc/passwd file.
example:
test3:x:30001:30001:ftp sub-login user:/precious:/bin/false
Note: the home directory is listed as /precious and the shell is
/bin/false(a bogus shell name). If you are using /bin/false as a shell,
remember that it needs to be listed in /export/ftp/etc/shells.
3. Also, add the user to the local /etc/passwd file
Note: This is necessary for Solaris 2.5, 2.5.1 and 2.6 because the
in.ftpd daemon gets the home directory, uid, and shell from the
/etc/passwd or passwd database.
4. Create the home directory for the user in /export/ftp with appropiate
permissions.
Note: Keep in mind that even though the home directory will be in the
/export/ftp directory, as far as ftp knows, /export/ftp is really '/'.
Therefore, the home directory should be listed as /precious in the
/export/ftp/etc/passwd file, but it will really live at
/export/ftp/precious.
Example:
mkdir /export/ftp/precious
chown precious /export/ftp/precious
chmod 755 /export/ftp/precious
5. Create/Edit the /export/ftp/etc/shadow file and add the shadow entry with
the encrypted password( can copy from /etc/shadow file).
Note: If you are running 2.3 or greater, you MUST have the encrypted
passwd
in the shadow file instead of the "x" in the password field.
Example of /export/ftp/etc/shadow entry
precious:LrxyzVVab2c:9561:::::
6. Change the permissions on the ftp/shadow file to 400 and change the owner
on the file to root if it isn't already.
Example:
chmod 400 /export/ftp/etc/shadow
chown root /export/ftp/etc/shadow
7. Create a /export/ftp/etc/shells file and add the shell specified in the
/export/ftp/etc/passwd file.
Example:
/bin/false
Note: Use a non-standard shell so that the user will not be able to log
in
as a regular user
8. Copy the following security libraries:
cd /export/ftp
mkdir usr/lib/security
cp /usr/lib/security/pam_entry.so usr/lib/security/pam_entry.so
mkdir etc/lib
cp /etc/lib/pam_entry.so etc/lib/pam_entry.so
----------------------------------------------------------------------------
---------------------
This should do it!
Warm Regards
ROOP KUMAR S S
Microland, India
email : roop@microland.co.in
Tel : 91-80-5710101 / 0203 / 1102 / 1104
Fax: 91-80-5710566
url : www.microland.net
in their "home" dir in passwd, put a "." where you want them to see as root
dir.
i.e.
/export/home/custs/quests/./
would prevent you from going above that dir... i.e. your home dir.
this assumes you're using wu-ftpd... do'nt know if it works on regular ftpd.
You can use the wu-ftpd Solaris package that I made. It is
available from the URL in my signature.
Michael Wang
http://www.mindspring.com/~mwang
RHi,
If you visit http://metalab.unc.edu/pub/packages/solaris/sparc/ and
get the proftpd package for your Solaris release then you will find
it's relatively simply to accomplish what you need. We do similar
things here:
<Anonymous /apps/service/red/ftp>
User redadmin
Group service
Umask 002
AllowOverwrite on
AnonRequirePassword on
<Limit READ WRITE DIRS>
AllowAll
</Limit>
</Anonymous>
The above limits redadmin to that directory but lets them have full upload
and download capabilities. The redadmin user exists in /etc/passwd with a
shell of /bin/ftponly, (cp /bin/true /bin/ftponly). Make sure /bin/ftponly
is in /etc/shells.
Proftpd will do buckets more if you have weird needs. My users do
unfortunately :).
wu-ftpd Resource Center: http://www.landfield.com/wu-ftpd/
wu-ftpd FAQ: http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html
wu-ftpd list archive: http://www.landfield.com/wu-ftpd/mail-archive/
Sounds exactly like the "guestgroup" feature implemented in wu-ftpd
(the *W*ashington *U*niversity's *ftp* *d*aemon). Basically a (Unix)
group whose members will have passwords like normal ftp users, but
will be chroot()ed like "anonymous".
Regards,
J. Bern
This can be done using an anonymous ftpserver we use called proftpd.
It is immensely configurable, and can be setup to allow those 5 users
access to only a certain directory.
Example: user1 logs in and is placed in the directory /ftp/private. This
user can only see files in this directory, and can only traverse
directories inside /ftp/private.
Its a great ftp daemon.
Lee
I use ncFTPd for that, look at their site, it works GREAT, it does exactly
what you need.
http://www.ncftpd.com <http://www.ncftpd.com>
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:18 CDT