Solved

Real users in a ftpd chrooted environment ?

Posted on 1997-06-04
10
286 Views
Last Modified: 2010-03-17
I have RedHat Linux 4.0, and I want to build a System
with real users FTP acess (login, passwd), but I want them
to be in a chrooted environment, i.e. not able to see
anything bellow a predefined directory. I've managed to do that with the guestgroup directive in ftpaccess, but users now can't see their files with a ls command. Is this a configuration problem or a ls problem ? Thanks.

0
Comment
Question by:rui.gil
  • 5
  • 4
10 Comments
 
LVL 1

Accepted Solution

by:
bcook earned 120 total points
Comment Utility
Have you looked at the man page for ftpd ?

You set your system up, setting up all your users, and pointing their home directories where ever you want the FTP login to end up.

When they log in using a valid username/password, ftpd chroots into the specified home directory.

You can disable anonymous in the file ftpaccess

Relevant files are

/etc/passwd (Each user must be in this)
/etc/ftpusers
/etc/ftpaccess (Defines all the parameters of FTP login)

The man page for ftpd explains it all.
0
 

Author Comment

by:rui.gil
Comment Utility
Edited text of question
0
 

Author Comment

by:rui.gil
Comment Utility
Well, I'm new at this but of course I've looked at the man page.
I think that my question isn't clear enougth. What I want is a FTP user who can not browse the system, only his home and subdirectories (chrooted environment). guestgroup directive in ftpaccess give me that possibility but now users can not see anything with a ls command, (all the other commands work). I thougth that was a configuration problem but now I'm not so sure... Do you have any ideas ?
0
 
LVL 1

Expert Comment

by:bcook
Comment Utility
Ok, with the user in guestuser mode, it says that you must have a bin directory under every user directory (Same a the FTP user).

(When chroot is executed /bin effectivly goes away, because / is noew ~user.  This means that if you want a /bin it must be ~user/bin

Do this on a test user and see if it works

ln -s ~ftp/bin ~user/bin


0
 

Author Comment

by:rui.gil
Comment Utility
Sorry about the time lapse... I already done your sugestion, but it doesnt work. But if I make a mirror copy (all the file with /bin, /dev, /lib, etc). It works fine, but this is not a valid solution, with a sytem with 1000 users or more. I'm using WU-FTPD server 2.4.2 and I've heard that maybe there is a problem with ls in a chrooted environment, something about dinamic libraries. http://www.ddb.com/sysadmin/wu-ftpd-anon-config.html
David Dyer-Bennet says that the solution is to build ls in a static way but in RedHat 4.0 I did'nt find any makefile to do that. Can you please help me with that ?
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Expert Comment

by:bcook
Comment Utility
Yes of course it wouldn't work... sorry.
The reason for this is that when you've chroot'd to the user directory, as far as it's concerened /bin is the one under the user directory, it can't see the real /bin to resolve the symbolic linkage.

The dynamic libraries should work, because they're in the lib sub-directory under ~ftp.  (Just don't upgrade the version of
ls you're using - leave it as the same on in ~ftp/bin)

I think the solution is to hard-link the directories to ~ftp
Try:

ln -d /home/ftp/bin /home/username/bin
ln -d /home/ftp/lib /home/username/lib
ln -d /home/ftp/etc /home/username/etc
ln -d /home/ftp/dev /home/username/dev

If this works, then you can create a script to do this for each
new chroot'd user.  This will mean that you don't have to duplicate the files for every user.

Restrictions:
. All users MUST be on the same file system as ~ftp.  Or alt least there must be one copy of all the files on each file system.
. Be very carefull when removing a user - don't use
rm -rf /home/username
Or you'll kill ls and all the libraries off.

# Unlink from the common stuff first - so we don't kill it
rm -d /home/username/bin
rm -d /home/username/lib
rm -d /home/username/etc
rm -d /home/username/dev

# No kill all the user data off
rm -rf /home/username



0
 

Author Comment

by:rui.gil
Comment Utility
The command "ln -d /home/ftp/bin /home/username/bin" doesn´t work. Operation not permited ?
0
 
LVL 1

Expert Comment

by:aldem
Comment Utility
Please, copy to ~/bin directory ls command,
found in ~ftp/bin. Problem is: when you copied
ls from /bin, it linked with dynamic libraries, which
are not available after chroot. But ls which resides
in ~ftp/bin linked *statically*, and will work after chroot.

0
 
LVL 1

Expert Comment

by:bcook
Comment Utility
Swine of a thing - documentation indicated that it should work.

Seems that you'll have to copy the bin directory, rather than
simply linking to it.  Make sure you use the statically linked
ls from the ftp area, rather than the one the rest of the system uses.

0
 

Author Comment

by:rui.gil
Comment Utility
I think that I'm running in circles here. I already did the copy
sugestion and it worked fine, but as I already said this is not a valid solution for me because the number of users is to hight. A
static version of ls is about 300K ! Multiply this by 1000 and BOOM ! The Hard link seems the better answer but I really tried and it just does'nt work. What am I doing wrong ?!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now