rwmira01@ulkyvx.bitnet (Rob Miracle) (02/22/91)
Good Day! I know this question has been asked here before, but since I have
just started recently reading these groups I thought I would ask.
I am trying to set up an anonymous FTP account on my AT&T box. We are running
System V R 3.2.2 from AT&T and the AT&T ENHANCED TCP/IP WIN/386 package
(Wollongong). In the Installation and Administration Guide it says:
"If the username is "anonymous" or "ftp" and an "anonymous" account is present
if /etc/passwd, the user is allowed to log in by specifying any password. Since
anyone can log in under "anonymous," it is wise to restrict the access
privileges of this account."
Problem #1, AT&T SVR3.2.2 only allows 8 character file names, thus "anonymous"
can not be created. By hand editing /etc/passwd and /etc/shadow, I added the
account as: anonymous:x:1000:100:FTP Anonymous Account:
and put the proper enter in /etc/shadow. Now I can FTP to a real account and
it works find (had to get that one out). When I try to login, it barfs saying
that it can't login to anonymous. I try various tricks, such as logging in as
ftp and anonymou but to no avail. I try the next logical thing. I remove the
anonymous account and add an account called ftp. Now I can log in, but any
access other than CD barfs with a message:
PORT 136,165,2,12,8,17
200 PORT command okay
NLST
425 Data Socket not created [0.0.0.0,0]
(This is from a VMS host), and from an unix host:
200 PORT command okay
425 Data Socket not created [0.0.0.0,0]
Now I can log in as a real person and it works. CD commands seem to work fine,
but I can't test them beyond not getting an error message. I tried it with and
without a password of the ftp account.
Problem #2 It seems that the CD command can get anywhere on the system. How
do I restrict it to just the tree that I want it in?
Thanks in Advance
Rob
--
Rob Miracle | Bitnet : RWMIRA01@ULKYVX CIS: 74216,3134
Programmer/Analyst-II | INTERNET : rwmira01%ulkyvx.bitnet@cunyvm.cuny.edu
University of Louisville | UUCP : ...psuvax1!ulkyvx.bitnet!rwmira01
"Revenge is a dish best served cold. It is very cold in space"
-- Ancient Klingon Proverbstu@gtisqr.uucp (Stu Donaldson) (03/06/91)
In article <1991Feb21.211534.772@ulkyvx.bitnet> rwmira01@ulkyvx.bitnet (Rob Miracle) writes: >"If the username is "anonymous" or "ftp" and an "anonymous" account is present >if /etc/passwd, the user is allowed to log in by specifying any password. Since >anyone can log in under "anonymous," it is wise to restrict the access >privileges of this account." I used the account 'ftp' since it wouldn't have the problem. With this, both 'anonymous' and 'ftp' work as logins. >anonymous account and add an account called ftp. Now I can log in, but any >access other than CD barfs with a message: > >PORT 136,165,2,12,8,17 >200 PORT command okay >NLST >425 Data Socket not created [0.0.0.0,0] I had the same problem. It doesn't tell you that there are a few other files thatyou need to have in the ~ftp account. ~ftp/bin ls needed for the NLST or LIST commands in ftp to work. pwd needed to get the current working directory ~ftp/dev null tcp # needed so the socket call within ftp can work. udp # probably not needed, but I added it when I added tcp ~ftp/etc group # needed for group id to show up in the dir command. passwd # needed for login id to show up in the dir commadn. ~ftp/shlib libc_s # surprise, /bin/ls uses the shared library so this # is requried. shlib: total 54 -rwxr-xr-x 1 root other 26236 Feb 27 10:47 libc_s* >Problem #2 It seems that the CD command can get anywhere on the system. How >do I restrict it to just the tree that I want it in? ftpd will automatically do a chroot to the new directory, thus preventing you from using CD to get to directories above ~ftp. >Thanks in Advance >Rob >-- >Rob Miracle | Bitnet : RWMIRA01@ULKYVX CIS: 74216,3134 >Programmer/Analyst-II | INTERNET : rwmira01%ulkyvx.bitnet@cunyvm.cuny.edu >University of Louisville | UUCP : ...psuvax1!ulkyvx.bitnet!rwmira01 >"Revenge is a dish best served cold. It is very cold in space" > -- Ancient Klingon Proverb ----------------------------------------------------------------------- Stu Donaldson "Can't you understand what I'm saying?" stu@mav.com "What did you do, fail telepathy?"
stu@gtisqr.uucp (Stu Donaldson) (03/06/91)
In article <1991Feb21.211534.772@ulkyvx.bitnet> rwmira01@ulkyvx.bitnet (Rob Miracle) writes: >Problem #1, AT&T SVR3.2.2 only allows 8 character file names, thus "anonymous" >can not be created. By hand editing /etc/passwd and /etc/shadow, I added the >account as: anonymous:x:1000:100:FTP Anonymous Account: I used the account 'ftp' since it wouldn't have the problem. With this, both 'anonymous' and 'ftp' work as logins. >anonymous account and add an account called ftp. Now I can log in, but any >access other than CD barfs with a message: > >PORT 136,165,2,12,8,17 >200 PORT command okay >NLST >425 Data Socket not created [0.0.0.0,0] I had the same problem. It doesn't tell you that there are a few other files thatyou need to have in the ~ftp account. ~ftp/bin ls needed for the NLST or LIST commands in ftp to work. pwd needed to get the current working directory ~ftp/dev null tcp # needed so the socket call within ftp can work. udp # probably not needed, but I added it when I added tcp ~ftp/etc group # needed for group id to show up in the dir command. passwd # needed for login id to show up in the dir commadn. ~ftp/shlib libc_s # surprise, /bin/ls uses the shared library so this # is requried. shlib: total 54 -rwxr-xr-x 1 root other 26236 Feb 27 10:47 libc_s* >Problem #2 It seems that the CD command can get anywhere on the system. How >do I restrict it to just the tree that I want it in? ftpd will automatically do a chroot to the new directory, thus preventing you from using CD to get to directories above ~ftp. >Thanks in Advance >Rob >-- >Rob Miracle | Bitnet : RWMIRA01@ULKYVX CIS: 74216,3134 >Programmer/Analyst-II | INTERNET : rwmira01%ulkyvx.bitnet@cunyvm.cuny.edu >University of Louisville | UUCP : ...psuvax1!ulkyvx.bitnet!rwmira01 >"Revenge is a dish best served cold. It is very cold in space" > -- Ancient Klingon Proverb ----------------------------------------------------------------------- Stu Donaldson "Can't you understand what I'm saying?" stu@mav.com "What did you do, fail telepathy?"
stu@gtisqr.uucp (Stu Donaldson) (03/06/91)
In article <1991Feb21.211534.772@ulkyvx.bitnet> rwmira01@ulkyvx.bitnet (Rob Miracle) writes: >Problem #1, AT&T SVR3.2.2 only allows 8 character file names, thus "anonymous" >can not be created. By hand editing /etc/passwd and /etc/shadow, I added the >account as: anonymous:x:1000:100:FTP Anonymous Account: I used the account 'ftp' since it wouldn't have the problem. With this, both 'anonymous' and 'ftp' work as logins. >anonymous account and add an account called ftp. Now I can log in, but any >access other than CD barfs with a message: > >PORT 136,165,2,12,8,17 >200 PORT command okay >NLST >425 Data Socket not created [0.0.0.0,0] I had the same problem. It doesn't tell you that there are a few other files thatyou need to have in the ~ftp account. This is for Interactive Systems 2.0.2, your mileage may vary. ~ftp/bin ls needed for the NLST or LIST commands in ftp to work. pwd needed to get the current working directory ~ftp/dev null # may not be needed, but I added it while trying to fix # the problem. tcp # needed so the socket call within ftp can work. udp # probably not needed, but I added it when I added tcp Note that these files in the ~ftp/dev directory will need to be actual devices. Therefore, you will need to either link to the real /dev/* files, or use mknod to create them. ~ftp/etc group # needed for group id to show up in the dir command. passwd # needed for login id to show up in the dir commadn. ~ftp/shlib libc_s # surprise, /bin/ls uses the shared library so this # is requried. >Problem #2 It seems that the CD command can get anywhere on the system. How >do I restrict it to just the tree that I want it in? ftpd will automatically do a chroot to the new directory, thus preventing you from using CD to get to directories above ~ftp. >Thanks in Advance >Rob >-- >Rob Miracle | Bitnet : RWMIRA01@ULKYVX CIS: 74216,3134 >Programmer/Analyst-II | INTERNET : rwmira01%ulkyvx.bitnet@cunyvm.cuny.edu >University of Louisville | UUCP : ...psuvax1!ulkyvx.bitnet!rwmira01 >"Revenge is a dish best served cold. It is very cold in space" > -- Ancient Klingon Proverb ----------------------------------------------------------------------- Stu Donaldson "Can't you understand what I'm saying?" stu@mav.com "What did you do, fail telepathy?"