Securing the FTP service on HP-UX: Anonymous FTP and a Restricted FTP Account
By Chris Wong

 

This last article in our series on the FTP service will focus on two areas. The first being anonymous FTP which gives the ability for a client to use the FTP service without needing validation. The second area being the creation of a restricted FTP account, which does not by default exist.

 

Anonymous FTP is when the client accessing the FTP service does not have a user account on the system. Anonymous FTP allows any client with access to the service to be authenticated without a password. The account name used by the client is either anonymous or ftp. The actual account name created on the system is ftp. The entry in the password file should look like the following:

 

ftp:*:500:1:Anonymous FTP user:/home/ftp:/usr/bin/false

 

It is important that the login shell is “false” and the password field contains the “*” character. This guarantees the ftp account from being used to successfully login to a shell.  When the FTP user successfully connects to the service using either ftp or anonymous, a chroot is executed. A chroot changes the root directory for the user. In this case, the root – or top – directory for the anonymous ftp user becomes /home/ftp. The user cannot see or access any files outside of this new root directory. This is very important since this user is anonymous and should not have access to any other files.

 

Since the anonymous FTP user does not have access to any other files than those found in their new root directory, commands and files that are needed by this user must be placed within their new root directory structure. This is why in the FTP directory structure there is a bin and an etc directory. In HP-UX the bin directory is located under the usr directory. The permissions on the directories in the anonymous FTP structure are very important. The following table displays the correct ownership and permissions on the various FTP directories.

 

Directory

Owner

Group

 Mode

/home/ftp

root

other

555

/home/ftp/dist

root

other

555

/home/ftp/etc

root

other

555

/home/ftp/pub

(Only if needed)

ftp

other

755 or 1733 (default 777)

/home/ftp/usr

root

other

555

/home/ftp/usr/bin

root

other

555

 

 

Earlier HP documentation erroneously states that the owner of the /home/ftp directory should be ftp. If the ftp owns this directory, they could change the permissions of this directory to allow themselves write access. Within this directory they could then place a .rhosts file. Once the .rhosts file is in place, they could use rlogin to obtain a shell prompt. There are several circumstances that must exist in order for this to happen, but the lesson is that the owner of the /home/ftp directory should be root. 

 

None of the directories should have write access except for potentially the pub directory. The pub directory should only have write access if you are allowing anonymous users the ability to put files on the system. If you allow anonymous users to put files on the system, be warned that they could potentially use your system for other purposes such as distributing software or pornography. If you allow anonymous users to put files on your system it is imperative that you create /home/ftp on its own logical volume. This will protect the /home directory from becoming full. Quotas could be implemented, but making /home/ftp its own logical volume is easier and safer.

 

In the /home/ftp/etc directory are several files, one of which is named passwd. Since clients connecting to the system are not authenticated, it is extremely important that this passwd file only contain the entries required (that being for the ftp user). If you have entries in this file that contain user names and hashed passwords, you should immediately remove these entries, force all users to change their passwords, and look for suspicious activity that has occurred on your system.

 

Restricted FTP Access

What if you want a user to authenticate themselves, but not have access to a login prompt and you don't want them to have the ability to explore the system outside their own directory. This would be a restricted FTP user. In our example, a user called bob is created. When creating a restricted FTP user, the steps are almost identical for setting up anonymous FTP.

  1. Create a group called ftponly in the /etc/group file.
  2. Create a new user (bob) who is a member of the ftponly group. The shell for this user should be /usr/bin/false. The restricted FTP user has 2 portions in their "home directory" field of the /etc/passwd. The first portion represents what will become this user's root (/). The second portion is the directory they will automatically be placed in when they FTP in. In the following example, bob will actually be in "/home/bob" but to bob it will only look like "/". When bob FTPs, he will be placed in /pub. This is really /home/bob/pub. 
3.           bob:(password):802:108:,,,:/home/bob/./pub/:/usr/bin/false
  1. Create the directory structure. This is identical to that of anonymous FTP except it will have a different owner on the "pub" directory.

Directory

Owner

Group

Mode

/home/bob

Root

other

555

/home/bob/dist

Root

other

555

/home/bob/etc

Root

other

555

/home/bob/pub
(Only if needed)

Bob

ftponly or other

755 or 1733
(default 777)

/home/bob/usr

Root

other

555

/home/bob/usr/bin

Root

other

555
  1. Copy /sbin/ls into the restricted FTP user's /usr/bin directory.
  2. Copy /etc/passwd and /etc/group into the restricted FTP user's /etc directory.
  3. Edit the copied passwd file so that only root and the user's ID is listed. If the system is not trusted, replace the hashed password with a "*".
  4. Edit the copied group file so that only other and ftponly are listed.
  5. Make sure the false shell is listed in /etc/shells: 
10.       /usr/bin/sh
11.       /sbin/sh
12.       /usr/bin/false
  1. Double check the permissions on the directories and files: 
14.       ctg700#: ll -d /home/bob
15.       dr-xr-xr-x   6 root  other  1024 Apr  4 08:45 /home/bob
16.        
17.       ctg700#: ll -R /home/bob
18.       total 0
19.       dr-xr-xr-x   2 root  other           96 Apr  4 08:21 dist
20.       dr-xr-xr-x   2 root  other           96 Apr  4 09:13 etc
21.       drwxr-xr-x   2 bob   ftponly         96 Apr  4 08:20 pub
22.       dr-xr-xr-x   3 root  other           96 Apr  4 08:18 usr
23.        
24.       /home/bob/dist:
25.       total 0
26.        
27.       /home/bob/etc:
28.       total 4
29.       -r--r--r--   1 root  other           46 Apr  4 09:13 group
30.       -r--r--r--   1 root  other           77 Apr  4 08:46 passwd
31.        
32.       /home/bob/pub:
33.       total 0
34.        
35.       /home/bob/usr:
36.       total 0
37.       dr-xr-xr-x   2 root  other           96 Apr  4 08:38 bin
38.        
39.       /home/bob/usr/bin:
40.       total 560
41.       -r-xr-xr-x   1 root  other       286720 Apr  4 08:38 ls
  1. If the entry in inetd.conf is not already using the ftpaccess file, update it so that it is: 
43.       ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -a etc/ftpd/ftpaccess

Please read articles #1 and #2 for details on configuring the ftpaccess file.

Remember to force inetd to re-read the config file (inetd --c).

  1. If you don't have a /etc/ftpd/ftpgroups file, create one:

touch /etc/ftpd/ftpgroups

  1. Edit the ftpaccess file to make sure a line is included that points to the same group name you assigned to your restricted FTP user:

# specify which group of users will be treated as "guests". guestgroup ftponly

  1. Optionally, change the logging settings to include guest users in the ftpaccess file. The restricted FTP user is considered a guest user. 
47.       log commands real,guest
48.       log transfers anonymous,real,guest inbound,outbound

Let's give it a try:

ftp ctg700
Connected to ctg700.cerius.com.
220 ctg700.cerius.com FTP server (Version 1.1.214.4(PHNE_23950) Tue May 22 05:49
:01 GMT 2001) ready.
Name (ctg700:root): bob
331 Password required for bob.
Password:
230 User bob logged in.  Access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/pub" is current directory.
ftp> cd ./
250 CWD command successful.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /usr/bin/ls.
total 0
dr-xr-xr-x   2 root  other           96 Apr  4 08:21 dist
dr-xr-xr-x   2 root  other           96 Apr  4 09:13 etc
drwxr-xr-x   2 bob   ftponly         96 Apr  4 08:20 pub
dr-xr-xr-x   3 root  other           96 Apr  4 08:18 usr
226 Transfer complete.
ftp> cd pub
250 CWD command successful.
ftp> put myfile
200 PORT command successful.
150 Opening BINARY mode data connection for myfile.
226 Transfer complete.
16 bytes sent in 0.00 seconds (56.61 Kbytes/s)
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /usr/bin/ls.
total 2
-rw-r-----   1 bob        ftponly         16 Apr  4 09:27 myfile
226 Transfer complete.
ftp>

That's it!

Chris Wong is a technical consultant and trainer. She is the author of the HP Press book HP-UX 11i Security.  http://newfdawg.com

All Rights Reserved, Copyright 2000 - 2002, TechTarget

 

 

SearchHP.com is a search service provided by TechTarget and is completely
independent of and not affiliated with Hewlett-Packard Company.