FTP SIB Enhancements, Phase II
************************************************************************
Configuration rules for SETPARMS.ARPA.SYS file:
************************************************************************
The "SETPARMS" file is the global configuration file for optional & new
functionality in both the FTP client (FTP) and the FTP server (FTPSRVR).
The following configuration rules apply to the SETPARMS.ARPA.SYS file:
CONSOLE_LOGGING = {ON/OFF}
DEBUG_PASS = {ON/OFF}
LOG_COMMANDS = {ON/OFF}
LOG_TRANSFERS = {ON/OFF}
PASSWORD = {ON/OFF}
PERMISSION_DELETE = {ON/OFF}
PERMISSION_OVERWRITE = {ON/OFF}
PERMISSION_RENAME = {ON/OFF}
POSIX = {ON/OFF}
SITE_CHMOD = {ON/OFF}
SITE_CHOWN = {ON/OFF}
SITE_STREAM = {ON/OFF}
Note: The format of the SETPARMS.ARPA.SYS file has the following rules:
a. This file can be created and edited with a supported editor. This
file must be unnumbered, fixed width ASCII with a record-width of no
more than 72 bytes.
b. Upper/Lower case letters can be used.
c. Blank spaces are not a problem.
d. The parameters can be entered in the file in any order.
e. Only the following keywords are allowed:
CONSOLE_LOGGING, DEBUG_PASS, LOG_COMMANDS, LOG_TRANSFERS, PASSWORD,
PERMISSION_DELETE, PERMISSION_OVERWRITE, PERMISSION_RENAME, POSIX,
SITE_CHMOD, SITE_CHOWN and SITE_STREAM
f. Invalid keywords or parameters are silently ignored.
g. By default if these keywords are not in SETPARMS.ARPA.SYS or if the
SETPARMS.ARPA.SYS file does not exist the following are the defaults:
console_logging = on
debug_pass = off
log_commands = off
log_transfers = off
password = off
permission_delete = on
permission_overwrite = on
permission_rename = on
posix = off
site_chmod = off
site_chown = off
site_stream = on
A sample of how to enable options as a default for your system:
------------------------------------------------------------
:editor
HP32201A.09.00 EDIT/3000 MON, JUL 31, 2000, 7:19 PM
(C) HEWLETT-PACKARD CO. 1993
/a
1 site_chmod=ON
2 //
...
/k SETPARMS.ARPA.SYS,UNN;E
END OF SUBSYSTEM
:
------------------------------------------------------------
************************************************************************
Configuration rules for FTPACCES.ARPA.SYS file "noretrieve" option:
************************************************************************
The "FTPACCES" file access configuration file is a security enhancement
added to the FTP server (FTPSRVR) to support an exclusion list of files
accessible with the FTP GET and MGET commands.
The following configuration rules apply to the FTPACCES.ARPA.SYS file:
The existence of the file FTPACCES.ARPA.SYS is the switch which enables
this feature. If FTPACCES.ARPA.SYS file does not exist FTP will not
deny access of any file. An empty FTPACCES.ARPA.SYS file will not deny
access of any file.
The syntax of the "noretrieve" option is:
noretrieve {file}|{/directory/file}|{/directory/}|{repeat}
The following three formats of the "noretrieve" option are supported in
the FTPACCES.ARPA.SYS:
a. noretrieve /file1 /dir/file2 /dir/dir/file3 /ACCT/GROUP/FILE4
b. noretrieve file5 File6 FILE7
c. noretrieve /dir/ /dir/dir/ /ACCT/ /ACCT/GROUP/
Note: The format of the FTPACCES.ARPA.SYS file has the following rules:
a. This file can be created and edited with a supported editor.
This file must be unnumbered, fixed width ASCII with a
record-width of no more than 255 bytes. The physical limit to
this file is 4GB, but performance will be the actual limiting
factor.
b. The entry "noretrieve {filelist}" is a space-separated list of file
names specified in three formats that can be intermixed; this is a
list of files that can not be retrieved, either by get or mget.
If one line can not contain the whole list of files that the owners
want to make non-retrievable, multiple lines starting with
"noretrieve" can be used. Leading or trailing white space
character(s) are considered file name delimiters.
c. All files or file sets specified in the filelist must follow the
POSIX HFS notation (not the traditional MPE FILE.GROUP.ACCOUNT
syntax).
i. In the first format "absolute path" names (meaning the name
begins with a slash, "/") will deny access to a single file.
For example "noretrieve /tmp/syslog.log". A traditionally
named MPE file FILE.GROUP.ACCT must be specified as
/ACCT/GROUP/FILE, all in uppercase. For example "noretrieve
/SYS/PUB/CATALOG".
ii. In the second format "simple" file names (meaning file names
that do not include a slash) will deny access to all files
with that exact name "regardless of location" in / or any
/directory/, or any /ACCT/directory/, or any /ACCT/GROUP/.
Example: "noretrieve NETRC" would deny access to the file
"NETRC" at /NETRC, /tmp/NETRC, /SYS/NETRC and /SYS/NET/NETRC.
Note: This filelist specification is case-sensitive because
this is the specification for POSIX file naming conventions,
it means that "NETRC" is a different file than "Netrc" and
"netrc".
iii. In the third format "absolute path" names terminated with a
slash "/" (meaning the directory name or account name or group
name ends with a slash, "/") will deny access to all files in
a /directory/, /ACCT/, /ACCT/GROUP/, /ACCT/directory/ or
/ACCT/GROUP/directory/. For example "noretrieve /SYS/PUB/"
denies access to all traditionally named MPE files in
@.PUB.SYS as well as any HFS-name files or directories found
within or under /SYS/PUB. Likewise "noretrieve /etc/" denies
access to all files contained in the directory /etc/.
d. The FTPACCES file supports only three commands (chroot, noretrieve
and # "comment"); invalid commands are silently ignored. Invalid
parameters to the "chroot" and "noretrieve" commands will be
reported to the file FTPLOG.ARPA.SYS, including invalid POSIX
characters (e.g. "+" or "-"), wild card characters (e.q. "@" or
"*"), and incorrectly specified or relative pathnames (e.q.
"./dir", "./../" or "./../dir"). Note: These errors are reported
when FTPSRVR is forked "created" by INETD.
e. In any line all characters after hash (#) are considered as
comment and are ignored.
f. Users with SM capability (like MANAGER.SYS) are not restricted by
the FTPACCES configuration.
----------------------------------------------------------------------
A sample of how to set file access restrictions for your system:
------------------------------------------------------------
/SYS/WORK: editor
HP32201A.09.00 EDIT/3000 SUN, FEB 26, 2006, 5:20 PM
(C) HEWLETT-PACKARD CO. 1993
/set length=255
/set right=255
/a
1 # FTPACCES.ARPA.SYS noretrieve files.
2 noretrieve /SYS/PUB/
3 noretrieve NETRC
4 noretrieve .netrc
5 noretrieve /SYS/ARPA/FTPACCES
6 //
...
/k FTPACCES.ARPA.SYS,UNN;E
END OF SUBSYSTEM
:
------------------------------------------------------------
**********************************************************************
Configuration rules for FTPACCES.ARPA.SYS file "chroot" option:
**********************************************************************
The "chroot" FTPACCES.ARPA.SYS configuration option is a security
enhancement added to the FTP Server to limit inbound FTP client
commands cd, put, get, mput, mget and dir to the configured "current
working directory" (CWD) and below. With chroot enabled, users would
be unable to (cd) move up (towards slash "/" root), (dir) view file
list and (put, get, mput & mget) access files up the directory
structure.
The following configuration rules apply to the FTPACCES.ARPA.SYS file:
The existence of the file FTPACCES.ARPA.SYS is the switch that enables
this feature. If FTPACCES.ARPA.SYS file does not exist FTP will not
deny access of any directory. An empty FTPACCES.ARPA.SYS file will
not deny access of any directory.
The syntax of the chroot option is:
chroot {user}|{@}.{account}|{@} {empty}|{/ACCT/GROUP}|{/{directory}
The following eight formats of the "chroot" option are supported in
the FTPACCES.ARPA.SYS:
a. chroot user.acct root_dir - The specified user is chroot'd to
root_dir.
b. chroot user.acct - The specified user is chroot'd to
their home group.
c. chroot @.acct root_dir - All the users from the specified
account are chroot'd to root_dir.
d. chroot @.acct - All the users from the specified
account are chroot'd to the user's
home group.
e. chroot user.@ root_dir - The user at all accounts are chroot'd
to root_dir.
f. chroot user.@ - The user at all accounts are chroot'd
to their home group.
g. chroot @.@ root_dir - All users are chroot'd to
root_dir.
h. chroot @.@ - All users are chroot'd to their
home group.
Note: The format of the FTPACCES.ARPA.SYS file has the following rules:
a. This file can be created and edited with a supported editor.
This file must be unnumbered, fixed width ASCII with a
record-width of no more than 255 bytes. The physical limit to
this file is 4GB, but performance will be the actual limiting
factor.
b. The entry "chroot {command}" is one line per command request of
logon user.acct name specifying the home logon directory where the
root "/" is set.
c. The logon "user.acct" parameter of the chroot command must be
specified in MPE user.acct notation and accepts no wildcards except
'@' which is supported in user.acct; '@' can be used only in the
three formats '@.@' or '@.acct' or 'user.@' but not in the format's
of 'use@.acct' or 'user.@acct'.
d. The "root_dir" parameter of the chroot command must be specified in
the POSIX HFS notation (not traditional MPE FILE.GROUP.ACCOUNT
syntax) using an absolute pathname from root (meaning the name
begins with a slash, "/"). A traditional named MPE GROUP.ACCOUNT
must be specified as /ACCOUNT/GROUP all in uppercase.
Specification of directories outside of MPE file space are case
sensitive and can be any combination of upper case & lower case
and must exactly match the actual directory.
e. The precedence of the eight chroot formats is: a>b>c>d>e>f>g>h
irrespective of their occurrence in the FTPACCES file.
f. The FTPACCES file supports only three commands (chroot, noretrieve
and # "comment"); invalid commands are silently ignored. Invalid
parameters to the "chroot" and "noretrieve" commands will be
reported to the file FTPLOG.ARPA.SYS, including invalid POSIX
characters (e.g. "+" or "-"), wild card characters (e.q. "@" or
"*"), and relative pathnames (e.q. "./dir", "./../" or "./../dir").
Note: These errors are reported when FTPSRVR is forked "created"
by INETD.
g. In any line all characters after hash (#) are considered as
comment and hence are ignored.
h. The "root_dir" parameter of the chroot command takes precedence
over the user.account,group logon string and the user's MPE
configured home group.
i. Users with SM capability (like MANAGER.SYS) are not restricted by
any FTPACCES chroot configuration.
j. Anonymous FTP will continue to logon the FTP special users
"anonymous" and "ftp" to /FTPGUEST/PUB regardless of any matching
user.account CHROOT entries in the FTPACCES file (i.e. anonymous
FTP completely ignores CHROOT).
k. Chroot does not follow links. This is consistent with the
behavior thru out FTP/iX.
Examples:
1 chroot OPERATOR.SYS /SYS/OPERATOR
2 chroot MGR.SENDMAIL /SENDMAIL
3 chroot @.TELESUP /TELESUP/WORK
4 chroot @.PROD
5 chroot TESTUSER.@ /tmp
6 chroot @.@ /FTPGUEST/PUB
In the above examples
1. The user OPERATOR.SYS is limited to the group /SYS/OPERATOR/ and
any directories under /SYS/OPERATOR/.
2. The user MGR.SENDMAIL is limited to all of the groups and
directories in the SENDMAIL account: /SENDMAIL/, /SENDMAIL/A0200/
and /SENDMAIL/PUB/.
3. The users of the TELESUP account are limited to the group
/TELESUP/WORK and any directories under /TELESUP/WORK/.
4. The users of the PROD account are limited to their home group
and any directories under their home group.
5. All TESTUSER in all accounts are limited to the /tmp directory of
the system and any directories under the /tmp directory.
6. All remaining users of the system are limited to the PUB group of
the FTPGUEST account and any directories under the
/FTPGUEST/PUB/ directory.
note: Precedence is specified user.acct > @.acct > user.@ > @.@.
A sample of how to set file access restrictions for your system:
------------------------------------------------------------
/SYS/WORK: editor
HP32201A.09.00 EDIT/3000 SUN, FEB 26, 2006, 5:20 PM
(C) HEWLETT-PACKARD CO. 1993
/set length=255
/set right=255
/a
1 # FTPACCES.ARPA.SYS chroot logon.
2 chroot OPERATOR.SYS /SYS/OPERATOR
3 chroot MGR.SENDMAIL /SENDMAIL
4 chroot @.TELESUP /TELESUP/WORK
5 chroot @.PROD
6 chroot TESTUSER.@ /tmp
7 chroot @.@ /FTPGUEST/PUB
8 //
...
/k FTPACCES.ARPA.SYS,UNN;E
END OF SUBSYSTEM
:
------------------------------------------------------------
**********************************************************************
PERMISSION_DELETE, PERMISSION_OVERWRITE, PERMISSION_RENAME options:
**********************************************************************
The "PERMISSION_DELETE", "PERMISSION_OVERWRITE" and
"PERMISSION_RENAME" SETPARMS.ARPA.SYS configuration options are
security enhancements added to the FTP Server to support the ability
to limit the inbound FTP Client commands del, put, mput and rename.
Users would be able to put files to file names that did not already
exist, but depending on the configured "PERMISSION_" set to "OFF" they
could not delete, rename or modify a file that already exist.
note:
a. The default setting for each of these options is "ON", which
does not deny access and is the default implementation prior
to this enhancement.
b. Users with SM capability (like MANAGER.SYS) are not restricted by
the these configuration options.
A sample of how to enable permissions as a default for your system:
------------------------------------------------------------
:editor
HP32201A.09.00 EDIT/3000 MON, JUL 31, 2000, 7:19 PM
(C) HEWLETT-PACKARD CO. 1993
/a
1 permission_delete = off
2 permission_overwrite = off
3 permission_rename = off
4 //
...
/k SETPARMS.ARPA.SYS,UNN;E
END OF SUBSYSTEM
: