Securing FTP/iX

ManualsBrandsHP ManualsSoftwareMPE/iX 6.5 Operating System

This file implements two different FTP restrictions. The first is supported by the NORETRIEVE

option, which prevents

the FTP user from retrieving any of the listed files. The second restriction is the CHROOT

option, which quarantines a

user to a specified location in the FTP server’s directory structure.

The FTPACCES file is not created automatically,

thus the FTP/iX default is to not impose extra restrictions on any file for any user.

General Configuration rules for FTPACCES

ü Leading or trailing white space character(s) are neglected

The FTPACCES file supports only three types of entries chroot, noretrieve and # (comment). Lines that do

not start with any of the three keywords chroot, noretrieve or ‘#’

are considered as invalid entries and are

silently ignored.

Comments are introduced by the hash (#) character and must start a new line.

ü Users with SM capability (like MANAGER.SYS) are not restricted by the FTPACCES configuration.

ü Any changes in FTPACCES file will get reflected in the next FTP login session.

6.2.1

Configuring the FTPACCES “NORETRIEVE” option

Syntax: noretrieve Name1 Name2 Name3… where “name” can be an absolute pathname, a single file name, or

a directory name. Multiple “noretrieve” options are supported on separate records in the FTPACCES file.

Sample configurations file FTPACCES.ARPA.SYS:

# Purpose: support of the NORETRIEVE and CHROOT FTP/iX options.

# NORETRIEVE denies access to the listed files.

# CHROOT confines the user to the specified “root” directory.

# Syntax: NORETRIEVE name1 name2 name3 … where “name” can be an absolute pathname a simple

# file name or a directory name

# Syntax: CHROOT user.account [rooted-directory] one entry per file record. User.Account can contain

# the “@” wildcard character.

# Leading and trailing spaces have no effect.

# All t the entries are case sensitive. MPE file names should be in uppercase only.

noretrieve /SYS/NET/STRACE # will restrict users from retrieving STRCE file from NET.SYS

noretrieve /SYS/ PUB/ # will restrict users from retrieving all the files from PUB.SYS

noretrieve TMPTRACE # will restrict users from retrieving file TMPTRACE located anywhere on the

system.

6.2.2 Specific configuration rules for NORETRIEVE option

The "FTPACCES" file-access configuration file has an exclusion list of files that are otherwise accessible with the FTP

GET and MGET commands.

The syntax of the "noretrieve" option is: noretrieve {file}|{/directory/file}|{/directory/}|{repeat}

The following three formats of the "noretrieve" option are supported in the FTPACCES.ARPA.SYS:

•

noretrieve /file1 /dir/file2 /dir/dir/file3 /ACCT/GROUP/FILE4

•

noretrieve file5 File6 FILE7

• noretrieve /dir/ /dir/dir/ /ACCT/ /ACCT/GROUP/

Page

Secure FTP on MPE/iX

7/18/2008

http://jazz.external.hp.com/papers/Securing

FTP

Whitepaper.html