[adeel123]

Hi,

I made a user on my machine with OS AIX5.3. I have blocked the telnet access of that user and only want to use that user for ftp purpose. now i want that user can only FTP to a particular folder and cannot access or move to any other directory. lets my user home profile is in /abc/adeel/xyz. once user login through ftp will directly drop at this path. but i dont want that user can change the directory. it shuld always remail in this path that is /abc/adeel/xyz. he can not move to any where.
How can i restrict him.

i have already used rksh .but that only work on telnet mode its not working on ftp mode. kindly guide me

[seth]

Hi
I'm curious on this one too. I know the anonymous ftp script delivered wit AIX /usr/samples/tcpip/anon.ftp (part of bos.net.tcp.client) does a similar thing with the anonymous ftp user and limits him into a own directorytree but I don't wanted a anonymous user access. I wanted a normal user with a tough password and limit him to a directory what I want. Not some Filetree below /home/blablabla with links in it. Heard on other sources that changeroot or chroot would do the job but only if used with a special ftpd, well I wanted to keep the ftpd from AIX for security reasons. Anyways I made a test with the wu_ftpd and did not get it working. At that point I gave up...
Maybe some other here got it successfully woring in their environment. If yes please share the information.

Cheers seth

[mshulman1980]

What you're trying to do is a chroot jail, which the standard AIX ftpd daemon doesn't support.
The best way to do this is to switch to SFTP, which does support chrooting. Aside from natively supporting chroot functions without installing extra software, you will use a more secure protocol (SSH)
Alternatively, if you need to stay with the FTP protocol, you can get a different FTP package - for example ProFTPd, which does support chroot functions. Here's a tutorial on it:
ProFTPD mini-HOWTO - Symlinks and chroot()


Good luck!

[kimyo]

Hi Guys

I have been through the same pain. I also looked at the IBM AIX anonymous script sent with AIX and was NOT keen to have an anonymous user on my system. Finally found what I was looking for, set your user as you have done with only ftp access. Then it is actually very simple, there are 2 ftp config files (both standard txt files):

1. /etc/ftpusers
2. /etc/ftpaccess.ctl

The first file I'm sure you know, it just restricts ftp access to any user listed in that file:

#>cat ftpusers
#The follwoing list of users will be restricted from ftp login
root
bin
uucp
ingres
daemon
news
nobody
anonymous

The second file is what you are looking for. There is actullay a full detailed description of how and what to set in the file if just run a man on ftpd. I felt kind of stupid after searching to the end of the web for this info and I found it already detailed in AIX. But not many people know of it? Anyway here is an example of what you would set in the ftpaccess.ctl if you wanted user "ftp" to have login to "/home/ftp", the user will be able to change directory forward but not backwards. Also when user ftp logs in and runs pwd it will show only "/" and not "/home/ftp".

#>cat ftpaccess.ctl
useronly: ftp
readwrite: /home/ftp

This is an absoulte winner. No extra non-AIX software or hacks or annonymous users. I used it on AIX 5.3 TL 06 and had no major issues. I did find that I couldn't get all the functions in the ftpaccess.ctl file to work correctly (dent, thats why I used in conjection with ftpusers). I actually think this comes from Linux and I am not sure what versions of AIX do and don't support this setup. So give it a bash

regards

[seth]

Hi kimyo

That sounds fine, specially the part with the ftpaccess.ctl.
Well ftpusers lacks a really good feature to use it. I would like a more sutiable accesscontroll above the uses. Somthing like "deny all but allow user xyz".
But thanks for the hint anyway!
Have a nice weekend!

Seth

[kimyo]

Hi Seth

If you can get the ftpaccess.ctl file setup correctly then you might be able to set something like deny all (not 100% sure if "all" is recognized) However I think the file is read line by line, so if you had deny all on line 1 and then allow xyz on line 2, that should work? But only if "all" is a recognized entry. I understand that if you have hundreds of users then adding them all will be quite a task, although you could just pull user names in from an lsuser awk'ed or something. Not sure if that is what you were getting at? but give it a try

regards

[seth]

Hmm, I looked now on man ftpd and found the useronly/grouponly directive in the ftpaccess.ctl file. That looks to me that the ftpusers file is obsolte for me and that is fine! Thanks a lot kinyo for the information.
Cheers seth

[psvillanueva]

one problem i encountered in my setup is i'm not able to view my existing files and also when i transferred files its not visible in my home directory.

thanks,

pete

[clehopatra]

well it seems to be a smart solution to use tftpaccess.ctl with useronly to restrict ftp access to users homedir ....

but
if you are connecting to the server with ftp as this user ,
you will get guest login without the password of the user !!!

that is not what I want
I would like to be asked for ftp users password
I do not wnat to have anonymous login

mmmh - does anybody know a solution for this ?

Regards
clehopatra