Manualshelf

Securing FTP/iX

ManualsBrandsHP ManualsSoftwareMPE/iX 7.0 Operating System
11121314151617181920
The syntax of the chroot option is:
chroot {user}|{@}.{account}|{@} {empty}|{/ACCT/GROUP}|{/{directory}
Sample configuration file FTPACCES.ARPA.SYS for CHROOT:
# Purpose: support of the CHROOT FTP/iX option.
# CHROOT confines the user to the specified rootdirectory.
# Syntax: CHROOT user.account [rooted-directory]
# One entry per file record. User.Account can contain the “@” wildcard character.
# Note: The following precedence is followed: user.acct > @.acct > user.@ > @.@.
# Leading and trailing spaces have no effect
# User name is case insensitive while the rooted directory name is case sensitive.
chroot Testmgr.@ /SYS/INSTALL
chroot @.TELESUP /TELESUP/WORK
6.2.5 Specific Configuration Rules for the CHROOT option
This option is available when FTPACCES.ARPA.SYS exists and contains one or more CHROOT entries. can be
specified in any of the following eight formats:
a) chroot user.acct root_dir - The specified user is chroot'd to root_dir.
b) chroot user.acct - The specified user is chroot'd to the home group.
c) chroot @.acct root_dir - All the users of the specified account are chroot'd to root_dir.
d) chroot @.acct - All the users of the specified account are chroot'd to their home
group.
e) chroot user.@ root_dir - FTP user of any account is chroot'd to root_dir.
f) chroot user.@ - FTP user of any account is chroot'd to the home group.
g) chroot @.@ root_dir - All users are chroot'd to root_dir.
h) chroot @.@ - All users are chroot'd to their home group.
ü
The user logon parameter of the chroot entry must be specified in the MPE USER.ACCT notation and wildcards
except '@' are not allowed; '@' can be used only in these three formats: '@.@' or '@.acct' or 'user.@' but not
for matching patterns like 'use@.acct' or 'user.@acct'.
ü
The root directory specification of a chroot entry must be in the POSIX HFS notation (and not in the traditional
MPE FILE.GROUP.ACCOUNT syntax) as an absolute pathname from the system root ("/").
As done within the
MPE/iX POSIX shell, all traditional MPE groups must be specified in HFS syntax (/ACCOUNT/GROUP), in
uppercase only.
ü
The root directory specification is case sensitive irrespective of whether it is in the MPE name space or in the
HFS name space.
ü
The precedence of the above mentioned eight chroot formats is: a>b>c>d>e>f>g>h
irrespective of their
order of occurrence in the FTPACCES file.
ü
CHROOT settings override the group name specification in ftp logon (user.acct,group) and the user's
configured MPE home group.
ü
Invalid parameters in a chroot entry are reported in FTPLOG.ARPA.SYS as an invalid entry. This is done when
Page
12
of
28
Secure FTP on MPE/iX
7/18/2008
http://jazz.external.hp.com/papers/Securing
-
-
Whitepaper.html