UNIX for Dummies Questions & Answers

Hi,

We have an application which runs on telnet port, application structure is file based, we have to give write permissions to all the users to all files so that they can work on the system.

Recently we have noticed that all ordinary users can login through ftp and delete any file ( belonging to that application, because they have write permissions on all the files ), can anybody please let me know how can we block all user-ids logging into Solaris system through FTP except users whose user-ids start with "kcc"?

One more thing, we can't completely block port 21 because one FTP server is running on the server for the documentation, for example: ftp://192.168.0.1/pub/English/Modules.html

We want to block FTP login through command line or any other FTP client, people can continue using FTP through web.

I hope, my query is explanatory enough.

Unfortunately the default FTP daemon is pretty simple and you have to give it a list of all users who are denied access, in the not very logically named /etc/ftpusers.

This means that every time you add new users you have to remember to update this file. Therefore it's a good idea to automate it, maybe run a job out of cron that does something like:

Code:

awk -F: '!/^kcc/ {print $1}' /etc/passwd > /etc/ftpusers

Thanks for your reply, it worked, but it adds root also to /etc/ftpusers, how can I stop that?

Perhaps it might be better to exclude by UIDs as in

Code:

awk -F: '$3 > 100 && $3 < 60000 {print $1}' /etc/passwd > ......

Not forgetting to exclude the kcc users...

Code:

awk -F: '$3 > 100 && $3 < 60000 && !/^kcc/ {print $1}' /etc/passwd > /etc/ftpusers

Thanks for your replies, it worked but I have following issue now, as I mentioned earlier that our help is installed on a FTP server and path is as follows:

ftp://192.168.0.1/pub/English/Modules.html

I don't want to block to this FTP server, now when users click on Help, they are asked to enter Username & Password, users who are mentioned at /etc/ftpusers are not granted access to this, any workaround to allow users to be able to view those help files via FTP?

In your position I would definitely serve that documentation using your web server, not your FTP server.

But if for some reason that's not possible... when they connect like that they are using anonymous FTP, so as long as you haven't added the 'ftp' user to /etc/ftpusers then it should still work as it did before. I'm presuming they were never prompted for username/password before?