Hi Laurence,
I actually posted the below solution last week to a similar question I had
posed to the group.
IBMi provides a graphical interface to set exit point controls for FTP
actions. It is much easier than writing your own exit point processing it
you can achieve the desired results using this interface - if not then you
may have to write the exit program!
Set the required directory as the home directory on the user's user
profile
CHGUSRPRF <user-profile> HOMEDIR('<required-path')
In IBM Navigator for i you can set Allow access or Deny access for the FTP
Operation ...
Navigation ==> Security ==> Application Administration
Select Host Applications from the left menu
Expand TCP/IP Utilities for iSeries
Expand File Transfer Protocol
Expand Specific Operations
You now have a selection of operations that you can specify
customisation's for
(Change directory, CL Commands, Clear Command Channel, Create
Directory/Library, Delete Directory/Library, Delete Files, List Files,
Receive Files, Rename Files, Send Files)
Select the required operation and Click Customise (Customize for
Americans!)
You can now specify a list of Users/Groups/Users not in Group to either
Allow access or Deny Access
So to test I added my test user to the Access Denied operation for Send
Files. (Sending files from IBMi to Client)
I was then able to ftp the file with a put successfully but trying to do a
get on that file failed with a not authorised error.
So I am going to create a group profile, add the 200 users to that group
and then assign the group as Access Denied to the operations we want to
restrict.
I think this is going to work very nicely.
Here is a ftp log after I restricted a user to ONLY being allowed to PUT
files ...
From a command prompt on my laptop I started an ftp session and logged on
as FTP_TEST
Here is a log from that session;
List directory - Rejected
ftp> dir
200 PORT subcommand request successful.
550 Request rejected.
Put a file - Successful
ftp> put c:\temp\Ping.txt /<path>/ping.txt
200 PORT subcommand request successful.
150 Sending file to /<path>/ping.txt
226 File transfer completed successfully.
ftp: 1176 bytes sent in 0.23Seconds 5.03Kbytes/sec.
Delete a file - Rejected
ftp> del ping.txt
550 Request rejected.
Rename a file - Rejected
ftp> ren ping.txt ping12.txt
550 Request rejected.
Get a file - Rejected
ftp> get ping.txt c:\temp\ping.txt
200 PORT subcommand request successful.
550 Request rejected.
Create a directory - Rejected
ftp> mkdir TEST
550 Request rejected.
Cheers
Don Brown
From: "Laurence Chiu" <lchiu7@xxxxxxxxx>
To: "Midrange Systems Technical Discussion"
<midrange-l@xxxxxxxxxxxxxxxxxx>
Date: 03/04/2020 07:00 AM
Subject: Locking a FTP user into a specific folder using stock FTP
server on IBMi 7.1
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxxxxxxxx>
This might seem a simple question but I am not IBMi person and I am just
getting involved in a major IBMi project. One question arose was, using
the
stock FTP server in IBMi, can an account be set to be placed in a certain
folder on logon and not be able to go a folder up?
It was posed by our security team who are concerned about FTP security and
the fact that we are using FTP (albiet only within the corporate network)
and so passwords go through in clear text. At this point in time there is
no possibility of moving to SFTP
Thanks
As an Amazon Associate we earn from qualifying purchases.