We are going to create user who can access toserver via ftp with following access rights:
Access to server via:
Telnet/ssh/other: No
FTP:Yes
Read file: only user home
directory.
For that you can give whatever the location you need to give access to
user
Eg:/var/apache2/http/ftp/
Then
user can access only to that folder
Chmod NotAllowe
Delete NotAllowe
Overwrite NotAllowe
Rename NotAllowe
Unmask NotAllowe
Upload NotAllowe
Verify ftp service is running in the server:
# svcs -a |grep -i ftp
online 12:17:58
svc:/network/ftp:default
Create new user for access server only for FTP
#useradd -g other -d /export/home/sltftp -m -s/bin/ftponly -c "ftp only user account for ftp backup" sltftp
other : This is the group that by
default will own any files or processes created by this user. If this user
attempts to access a file and the group of that file is the user's primary
group then the group permissions for that file will apply (unless the user is
the owner of the file).(not necessary)
/export/home/sltftp
: A user's home directory typically contains all the
files owned by that user. When a user logs in, he will be placed in his home
directory and scripts like .cshrc or .profile will be run.
/bin/ftponly : When a user logs in via telnet or at the console, or
opens an xterm window in X the users shell program will be run to interpret
commands entered. If a user does not have a valid shell program or has one that
does nothing (like /bin/false), then that user will not be able to login. This
can be useful when creating users who can only read and send email.
"ftp only user account for ftp
backup" : The
real human-readable name of this user.
sltftp : The login name of this user. This must be unique.
Enter a password
for newly created user :( otherwise its remaining blank)
# passwd sltftp
New Password:
Re-enter new Password:
passwd: password successfully changed for sltftp
Verify user
creation:
# cat /etc/passwd
root:x:0:0:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
.
.
sltftp:x:1000:10: ftp only user account for ftp backup: /export/home/sltftp:/bin/ftponly
1000: The user ID or UID is what the system really uses to enforce
permissions on files and processes. If two users have the same UID, they will
be able to access each other’s files - so every user should have a unique UID.
Create file /etc/shells ( by default this file
not found in system)
# cat /etc/shells
/etc/shells: No
such file or directory
Add this line : /bin/ftponly
# vi /etc/shells
/bin/bash
/bin/csh
/bin/gnome-autogen.sh
/bin/hash
/bin/jsh
/bin/ksh
/bin/pfcsh
/bin/pfksh
/bin/pfsh
/bin/remsh
/bin/rksh
/bin/rsh
/bin/sh
/bin/ssh
/bin/tcsh
/bin/zsh
/bin/ftponly
And save it Ece->:wq!
Try to telnet
using this user and check the accessibility
login: sltftp
Password:
Last login: Wed Jun 26 12
No shell
Connection to host lost.
You can also create /bin/ftponly file and give some echo command
with what you want to display when user try to login
Eg:#touch /bin/ftponly>> echo “This account only allows FTP Access!”
After that when users try to login via telnet its shows like this:
login: sltftp
Password:
Last login: Wed Jun 26 12
This account only allows FTP Access!
Connection to host lost.
Limiting access rights for ftp user by editing
ftpaccess file locate in /etc/ftpd/
#vi ftpaccess
# ident "@(#)ftpaccess
1.2 03/05/14 SMI"
#
# FTP server configuration file, see ftpaccess(4).
#
class realusers real
*
class guestusers guest
*
class anonusers anonymous *
loginfails 3
passwd-check trivial warn
private no
shutdown
/etc/ftpd/shutdown.msg
# email user@hostname
# guestuser username
# rhostlookup no
keepalive yes
recvbuf 65536 real,guest,anonymous
sendbuf 65536 real,guest,anonymous
# flush-wait no anonymous
# passive ports 0.0.0.0/0 32768
65535
# timeout data 600
# timeout idle 300
banner /etc/ftpd/banner.msg
greeting brief
message
/etc/ftpd/welcome.msg login
message .message cwd=*
readme README* login
readme README* cwd=*
# quota-info *
chmod no anonymous,guest
delete no anonymous,guest
overwrite
no anonymous,guest
rename no anonymous,guest
umask no anonymous,guest
compress yes realusers guestusers anonusers
tar yes realusers guestusers anonusers
path-filter anonymous,guest
/etc/ftpd/filename.msg
^[[:alnum:]._-]*$ ^[.-]
noretrieve relative class=anonusers /
allow-retrieve relative class=anonusers /pub
upload class=guestusers *
* no nodirs
upload
class=anonusers * *
no nodirs
# upload
class=anonusers * /incoming yes ftpadm ftpadm 0440 nodirs
# log commands real,guest,anonymous
# log security real,guest,anonymous
# log transfers real,guest,anonymous inbound,outbound
# xferlog format %T %Xt %R %Xn %XP %Xy %Xf %Xd %Xm %U ftp %Xa
%u %Xc %Xs %Xr
# limit-time anonymous 30
# limit anonusers 10
Wk0730-1800
/etc/ftpd/toomany.msg
# limit anonusers 50
SaSu|Any1800-0730 /etc/ftpd/toomany.msg
guestuser sltftp ftptest
log commands anonymous,guest
Save the changers Ece->:wq!
We create this user under
guest list:
Define sltftp user as
guest:
guestuser
sltftp ftptest
create a class for guest
user:
The WU FTP server allows you to classify
users based on the address they login from and their user type. The three user
types are :
Unix - Normal users on your system.
Guest - Unix users who have been classified
as guests.
Anonymous - Logins by the anonymous or ftp
user, if allowed on your system.
The top section of this page allows you to
define named classes, based on user types and source addresses. Every login is
classified into the first matching class, so classes should be ordered from the
most to least specific. The matching addresses for each class can be full or
partial IP addresses, IP networks/netmasks, hostnames, host wildcards (like
*.foo.com) or the absolute paths to files containing additional addresses. Any
type of address can be preceded with a ! to negate it.
class guestusers guest
*
Limiting access rights for guest user:(this will effect to all guest
users)
chmod no anonymous,guest
delete no anonymous,guest
overwrite
no anonymous,guest
rename no anonymous,guest
umask no anonymous,guest
Put some logging
banner to display when logging:
message /etc/ftpd/welcome.msg login
#vi /etc/ftpd/welcome.msg
***************************
Welcome to ftp Sever
Authorized access only!
***************************
Save it:Ece->:wq!
No need to restart the ftp server for effect the changes
To restart ftp process :
#svcadm restart svc:/network/ftp:default
Done! J
Now check ftp user
C:\Windows\system32\ftp 172.16.0.3
Connected to 172.16.0.3.
220 NTU-DR-EMS FTP server ready.
User (172.16.0.3:(none)): sltftp
331 Password required for sltftp.
Password:
230 User sltftp logged in. Access restrictions apply.
Try to upload some files:
ftp> mput
Local files C:\Users\Daraka\Desktop\test.txt
mput C:\Users\Daraka\Desktop\test.txt?
200 PORT command successful.
553 test.txt: Permission denied on server.
(Upload)
You can only able to download from the server
