Real users in a ftpd chrooted environment ?

Posted on 1997-06-04
Last Modified: 2010-03-17
I have RedHat Linux 4.0, and I want to build a System
with real users FTP acess (login, passwd), but I want them
to be in a chrooted environment, i.e. not able to see
anything bellow a predefined directory. I've managed to do that with the guestgroup directive in ftpaccess, but users now can't see their files with a ls command. Is this a configuration problem or a ls problem ? Thanks.

Question by:rui.gil
  • 5
  • 4

Accepted Solution

bcook earned 120 total points
ID: 1584782
Have you looked at the man page for ftpd ?

You set your system up, setting up all your users, and pointing their home directories where ever you want the FTP login to end up.

When they log in using a valid username/password, ftpd chroots into the specified home directory.

You can disable anonymous in the file ftpaccess

Relevant files are

/etc/passwd (Each user must be in this)
/etc/ftpaccess (Defines all the parameters of FTP login)

The man page for ftpd explains it all.

Author Comment

ID: 1584783
Edited text of question

Author Comment

ID: 1584784
Well, I'm new at this but of course I've looked at the man page.
I think that my question isn't clear enougth. What I want is a FTP user who can not browse the system, only his home and subdirectories (chrooted environment). guestgroup directive in ftpaccess give me that possibility but now users can not see anything with a ls command, (all the other commands work). I thougth that was a configuration problem but now I'm not so sure... Do you have any ideas ?
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.


Expert Comment

ID: 1584785
Ok, with the user in guestuser mode, it says that you must have a bin directory under every user directory (Same a the FTP user).

(When chroot is executed /bin effectivly goes away, because / is noew ~user.  This means that if you want a /bin it must be ~user/bin

Do this on a test user and see if it works

ln -s ~ftp/bin ~user/bin


Author Comment

ID: 1584786
Sorry about the time lapse... I already done your sugestion, but it doesnt work. But if I make a mirror copy (all the file with /bin, /dev, /lib, etc). It works fine, but this is not a valid solution, with a sytem with 1000 users or more. I'm using WU-FTPD server 2.4.2 and I've heard that maybe there is a problem with ls in a chrooted environment, something about dinamic libraries.
David Dyer-Bennet says that the solution is to build ls in a static way but in RedHat 4.0 I did'nt find any makefile to do that. Can you please help me with that ?

Expert Comment

ID: 1584787
Yes of course it wouldn't work... sorry.
The reason for this is that when you've chroot'd to the user directory, as far as it's concerened /bin is the one under the user directory, it can't see the real /bin to resolve the symbolic linkage.

The dynamic libraries should work, because they're in the lib sub-directory under ~ftp.  (Just don't upgrade the version of
ls you're using - leave it as the same on in ~ftp/bin)

I think the solution is to hard-link the directories to ~ftp

ln -d /home/ftp/bin /home/username/bin
ln -d /home/ftp/lib /home/username/lib
ln -d /home/ftp/etc /home/username/etc
ln -d /home/ftp/dev /home/username/dev

If this works, then you can create a script to do this for each
new chroot'd user.  This will mean that you don't have to duplicate the files for every user.

. All users MUST be on the same file system as ~ftp.  Or alt least there must be one copy of all the files on each file system.
. Be very carefull when removing a user - don't use
rm -rf /home/username
Or you'll kill ls and all the libraries off.

# Unlink from the common stuff first - so we don't kill it
rm -d /home/username/bin
rm -d /home/username/lib
rm -d /home/username/etc
rm -d /home/username/dev

# No kill all the user data off
rm -rf /home/username


Author Comment

ID: 1584788
The command "ln -d /home/ftp/bin /home/username/bin" doesn´t work. Operation not permited ?

Expert Comment

ID: 1584789
Please, copy to ~/bin directory ls command,
found in ~ftp/bin. Problem is: when you copied
ls from /bin, it linked with dynamic libraries, which
are not available after chroot. But ls which resides
in ~ftp/bin linked *statically*, and will work after chroot.


Expert Comment

ID: 1584790
Swine of a thing - documentation indicated that it should work.

Seems that you'll have to copy the bin directory, rather than
simply linking to it.  Make sure you use the statically linked
ls from the ftp area, rather than the one the rest of the system uses.


Author Comment

ID: 1584791
I think that I'm running in circles here. I already did the copy
sugestion and it worked fine, but as I already said this is not a valid solution for me because the number of users is to hight. A
static version of ls is about 300K ! Multiply this by 1000 and BOOM ! The Hard link seems the better answer but I really tried and it just does'nt work. What am I doing wrong ?!

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question