Securing FTP/iX
FTPSRVR starts.
ü
Root directory specifications cannot be relative to any directory (e.g. ./dir1, ../dir2 etc), cannot include special
characters like ‘+’,’-‘ etc. and do not support wild cards.
ü
Anonymous FTP behavior remains unchanged with the implementation of chroot. The root directory of an
anonymous logon cannot be changed by specifying a chroot entry in FTPACCES. An anonymous FTP user will
login into the directory /FTPGUEST/PUB, as before.
ü Chroot does not follow soft links.
This is consistent with the behavior throughout FTP/iX. Any changes to this file
will get reflected in the next FTP logon session.
6.2.6
Examples for Chroot option
Consider a sample FTPACCES.ARPA.SYS file:
chroot Testmgr.@ /SYS/INSTALL
chroot @.TELESUP /TELESUP/WORK
chroot @.SYS
1. The home group of the user Testmgr.SYS is PUB.SYS and the user is directed to /SYS/INSTALL/ because of
chroot option set in FTPACCES.APRA configuration file. The user is limited to the group /SYS/INSTALL and any
directories under /SYS/INSTALL/.
ftp> user Testmgr.sys
230 User logged on
200 Type set to I.
ftp> pwd
257-"/" is the current directory.
257 "TESTMGR.SYS" is the current session.
ftp> cd ..
550 The last component of the pathname "/SYS/INSTALL/SYS" does not exist. (CIERR 93)
Could not change directory to "..". (FTPERR 48)
2. The users of the TELESUP account are limited to the group /TELESUP/WORK/ and any directories
under /TELESUP/WORK/ irrespective of whatever is the user’s home group.
If there is a directory called tmp under /TELESUP/WORK/ then “cd tmp”
will be successful. But, changing to any
other directory that is not under /TELESUP/WORK will result in an error:
Name(manager): mgrtest.telesup
230-'"/"'
230 User logged on
Remote system type is MPE/iX
200 TIMEOUT command ok.
ftp> pwd
257-"/" is the current directory.
257 "MGRTEST.TELESUP" is the current session.
ftp> cd tmp
250 CWD file action successful.
ftp> pwd
Page
13
of
28
Secure FTP on MPE/iX
7/18/2008
http://jazz.external.hp.com/papers/Securing
-
FTP
-
Whitepaper.html