× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Hi

Thanks to all that responded. This solution seems to be the easiest to
implement since it does not require installing any software. We want the
FTP account to only have FTP access, no Telnet and being able to lock them
into the FTP folder and not issue commands apart from GET would solve the
problem I think. I will broach the subject with the IBMi people.

On Fri, Apr 3, 2020 at 11:32 AM Don Brown via MIDRANGE-L <
midrange-l@xxxxxxxxxxxxxxxxxx> wrote:

Hi Laurence,

I actually posted the below solution last week to a similar question I had
posed to the group.

IBMi provides a graphical interface to set exit point controls for FTP
actions. It is much easier than writing your own exit point processing it
you can achieve the desired results using this interface - if not then you
may have to write the exit program!

Set the required directory as the home directory on the user's user
profile

CHGUSRPRF <user-profile> HOMEDIR('<required-path')

In IBM Navigator for i you can set Allow access or Deny access for the FTP

Operation ...

Navigation ==> Security ==> Application Administration

Select Host Applications from the left menu

Expand TCP/IP Utilities for iSeries

Expand File Transfer Protocol

Expand Specific Operations

You now have a selection of operations that you can specify
customisation's for
(Change directory, CL Commands, Clear Command Channel, Create
Directory/Library, Delete Directory/Library, Delete Files, List Files,
Receive Files, Rename Files, Send Files)

Select the required operation and Click Customise (Customize for
Americans!)

You can now specify a list of Users/Groups/Users not in Group to either
Allow access or Deny Access

So to test I added my test user to the Access Denied operation for Send
Files. (Sending files from IBMi to Client)

I was then able to ftp the file with a put successfully but trying to do a

get on that file failed with a not authorised error.

So I am going to create a group profile, add the 200 users to that group
and then assign the group as Access Denied to the operations we want to
restrict.

I think this is going to work very nicely.

Here is a ftp log after I restricted a user to ONLY being allowed to PUT
files ...

From a command prompt on my laptop I started an ftp session and logged on
as FTP_TEST

Here is a log from that session;


List directory - Rejected
ftp> dir
200 PORT subcommand request successful.
550 Request rejected.

Put a file - Successful
ftp> put c:\temp\Ping.txt /<path>/ping.txt
200 PORT subcommand request successful.
150 Sending file to /<path>/ping.txt
226 File transfer completed successfully.
ftp: 1176 bytes sent in 0.23Seconds 5.03Kbytes/sec.

Delete a file - Rejected
ftp> del ping.txt
550 Request rejected.

Rename a file - Rejected
ftp> ren ping.txt ping12.txt
550 Request rejected.

Get a file - Rejected
ftp> get ping.txt c:\temp\ping.txt
200 PORT subcommand request successful.
550 Request rejected.

Create a directory - Rejected
ftp> mkdir TEST
550 Request rejected.

Cheers



Don Brown





From: "Laurence Chiu" <lchiu7@xxxxxxxxx>
To: "Midrange Systems Technical Discussion"
<midrange-l@xxxxxxxxxxxxxxxxxx>
Date: 03/04/2020 07:00 AM
Subject: Locking a FTP user into a specific folder using stock FTP
server on IBMi 7.1
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxxxxxxxx>



This might seem a simple question but I am not IBMi person and I am just
getting involved in a major IBMi project. One question arose was, using
the
stock FTP server in IBMi, can an account be set to be placed in a certain
folder on logon and not be able to go a folder up?

It was posed by our security team who are concerned about FTP security and
the fact that we are using FTP (albiet only within the corporate network)
and so passwords go through in clear text. At this point in time there is
no possibility of moving to SFTP

Thanks
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
______________________________________________________________________





______________________________________________________________________
This email has been scanned for computer viruses. Although MSD has taken
reasonable precautions to ensure no viruses are present in this email, MSD
cannot accept responsibility for any loss or damage arising from the use of
this email or attachments.
______________________________________________________________________
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.