468x60 Ads

Wednesday, June 26, 2013

Pin It

Widgets

Create ftp access only user in Solaris 10 with user restrictions(access rights)

3:05 AM  Unknown  No comments

We are going to create user who can access toserver via ftp with following access rights:

Access to server via:

Telnet/ssh/other: No
FTP:Yes
                Read file: only user home directory.
                For that you can give whatever the location you need to give access to user
                Eg:/var/apache2/http/ftp/
                Then user can access only to that folder
            
            Chmod                 NotAllowe
Delete                  NotAllowe
Overwrite            NotAllowe
Rename               NotAllowe
Unmask               NotAllowe
Upload                NotAllowe


               
Verify ftp service is running in the server:

# svcs -a |grep -i ftp
online         12:17:58 svc:/network/ftp:default

Create new user for access server only for FTP

#useradd -g other -d /export/home/sltftp -m -s/bin/ftponly -c "ftp only user account for ftp backup" sltftp

other : This is the group that by default will own any files or processes created by this user. If this user attempts to access a file and the group of that file is the user's primary group then the group permissions for that file will apply (unless the user is the owner of the file).(not necessary)
/export/home/sltftp : A user's home directory typically contains all the files owned by that user. When a user logs in, he will be placed in his home directory and scripts like .cshrc or .profile will be run.
/bin/ftponly : When a user logs in via telnet or at the console, or opens an xterm window in X the users shell program will be run to interpret commands entered. If a user does not have a valid shell program or has one that does nothing (like /bin/false), then that user will not be able to login. This can be useful when creating users who can only read and send email.
"ftp only user account for ftp backup" : The real human-readable name of this user.
sltftp : The login name of this user. This must be unique.

Enter a password for newly created user :( otherwise its remaining blank)

# passwd sltftp
New Password:
Re-enter new Password:
passwd: password successfully changed for sltftp

Verify user creation:

# cat /etc/passwd
root:x:0:0:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
.
.
sltftp:x:1000:10: ftp only user account for ftp backup: /export/home/sltftp:/bin/ftponly

1000: The user ID or UID is what the system really uses to enforce permissions on files and processes. If two users have the same UID, they will be able to access each other’s files - so every user should have a unique UID.

Create file /etc/shells ( by default this file not found in system)

# cat /etc/shells
/etc/shells: No such file or directory
Add this line : /bin/ftponly

# vi /etc/shells
/bin/bash
/bin/csh
/bin/gnome-autogen.sh
/bin/hash
/bin/jsh
/bin/ksh
/bin/pfcsh
/bin/pfksh
/bin/pfsh
/bin/remsh
/bin/rksh
/bin/rsh
/bin/sh
/bin/ssh
/bin/tcsh
/bin/zsh
/bin/ftponly

And save it Ece->:wq!

Try to telnet using this user and check the accessibility

login: sltftp
Password:
Last login: Wed Jun 26 12
No shell
Connection to host lost.

You can also create /bin/ftponly file and give some echo command with what you want to display when user try to login
      Eg:#touch /bin/ftponly>> echo “This account only allows FTP Access!”

After that when users try to login via telnet its shows like this:

login: sltftp
Password:
Last login: Wed Jun 26 12
This account only allows FTP Access!
Connection to host lost.

Limiting access rights for ftp user by editing ftpaccess file locate in /etc/ftpd/

#vi ftpaccess 

# ident "@(#)ftpaccess  1.2     03/05/14 SMI"
#
# FTP server configuration file, see ftpaccess(4).
#

class   realusers       real    *
class   guestusers      guest   *
class   anonusers       anonymous       *

loginfails      3
passwd-check    trivial         warn
private         no
shutdown        /etc/ftpd/shutdown.msg
# email         user@hostname
# guestuser     username
# rhostlookup   no

keepalive       yes
recvbuf         65536           real,guest,anonymous
sendbuf         65536           real,guest,anonymous
# flush-wait    no              anonymous
# passive       ports           0.0.0.0/0       32768   65535
# timeout       data            600
# timeout       idle            300

banner          /etc/ftpd/banner.msg
greeting        brief
message         /etc/ftpd/welcome.msg   login
message         .message                cwd=*
readme          README*                 login
readme          README*                 cwd=*
# quota-info    *

chmod   no      anonymous,guest
delete  no      anonymous,guest
overwrite       no      anonymous,guest
rename  no      anonymous,guest
umask   no      anonymous,guest

compress        yes             realusers guestusers anonusers
tar             yes             realusers guestusers anonusers

path-filter     anonymous,guest /etc/ftpd/filename.msg  ^[[:alnum:]._-]*$       ^[.-]

noretrieve      relative        class=anonusers         /
allow-retrieve  relative        class=anonusers         /pub

upload          class=guestusers    *    *         no  nodirs
upload          class=anonusers    *    *         no  nodirs
# upload        class=anonusers    *    /incoming yes ftpadm ftpadm 0440 nodirs

# log           commands        real,guest,anonymous
# log           security        real,guest,anonymous
# log           transfers       real,guest,anonymous    inbound,outbound
# xferlog       format  %T %Xt %R %Xn %XP %Xy %Xf %Xd %Xm %U ftp %Xa %u %Xc %Xs %Xr

# limit-time    anonymous       30
# limit         anonusers       10      Wk0730-1800       /etc/ftpd/toomany.msg
# limit         anonusers       50      SaSu|Any1800-0730 /etc/ftpd/toomany.msg
guestuser      sltftp ftptest
log     commands        anonymous,guest


Save the changers Ece->:wq!

We create this user under guest list:

Define sltftp user as guest:

guestuser       sltftp ftptest

create a class for guest user:

The WU FTP server allows you to classify users based on the address they login from and their user type. The three user types are :
Unix - Normal users on your system.
Guest - Unix users who have been classified as guests.
Anonymous - Logins by the anonymous or ftp user, if allowed on your system.
The top section of this page allows you to define named classes, based on user types and source addresses. Every login is classified into the first matching class, so classes should be ordered from the most to least specific. The matching addresses for each class can be full or partial IP addresses, IP networks/netmasks, hostnames, host wildcards (like *.foo.com) or the absolute paths to files containing additional addresses. Any type of address can be preceded with a ! to negate it.

class   guestusers      guest   *

Limiting access rights for guest user:(this will effect to all guest users)

chmod   no      anonymous,guest
delete  no      anonymous,guest
overwrite       no      anonymous,guest
rename  no      anonymous,guest
umask   no      anonymous,guest

Put some logging banner to display when logging:

message        /etc/ftpd/welcome.msg   login
#vi /etc/ftpd/welcome.msg  
***************************
Welcome to ftp Sever
Authorized access only!
***************************
Save it:Ece->:wq!

No need to restart the ftp server for effect the changes
To restart ftp process :
#svcadm restart  svc:/network/ftp:default

Done! J

Now check ftp user

C:\Windows\system32\ftp 172.16.0.3
Connected to 172.16.0.3.
220 NTU-DR-EMS FTP server ready.
User (172.16.0.3:(none)): sltftp
331 Password required for sltftp.
Password:
230 User sltftp logged in.  Access restrictions apply.


Try to upload some files:
ftp> mput
Local files C:\Users\Daraka\Desktop\test.txt
mput C:\Users\Daraka\Desktop\test.txt?
200 PORT command successful.
553 test.txt: Permission denied on server. (Upload)


You can only able to download from the server 

Posted by Daraka sooriyabandara | Admin at 3:05 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)