Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 565
  • Last Modified:

FTP and CHROOT

Hello there,

I am trying to setup my BSDI 3.0 machine so that when my users log in there home directory becomes there root directory.
I tried the tutorial at ftp://ftp.fni.com/pub/wu-ftpd/guest-howto 
but it didn't work. I am probably doing something worng but I don't know what.
All my users are part of the group called 'user'. Perhaps this is a problem?
Any help would be appreciated.
Thanks
0
Sunil
Asked:
Sunil
  • 6
  • 6
  • 4
  • +1
1 Solution
 
mgrcnkCommented:
What exactly is the problem?  Can they not log in or is there home directory not automatically becoming their root directory?
0
 
SunilAuthor Commented:
Sorry, I should have been more specific.
They can log in but their home directory is not the root directory.
Thankyou.
0
 
mgrcnkCommented:
What version of wu-ftpd are you running?  What are they getting for their home directory?  Can you post your config files, please?

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
SunilAuthor Commented:
Hi,
Thankyou for your prompt response..
Which config files do you need?
I think I am using version 2.4
When users log in they get their standrd home directory which is usually /usr/home/username.

Thanks for your help
0
 
ahoffmannCommented:
Read the section about  guestgroup <groupname> [<groupname> ...]
in ftpaccess' man-page.
0
 
SunilAuthor Commented:
Hi...

I had a quick look but could not understand it.
Here is a copy of my ftpaccess file:
**********
class   all   real,guest,anonymous  *

limit   all   10   Any              /etc/msgs/msg.dead

readme  README*    login
readme  README*    cwd=*

message /welcome.msg            login
message .message                cwd=*

compress        yes             local remote
tar             yes             local remote

log commands real
log transfers anonymous,real inbound,outbound

shutdown /etc/shutmsg
guestgroup user
email user@hostname


0
 
ahoffmannCommented:
The trick is the home-directory definition in /etc/passwd (see
/./) in conjunction with the guestgroup. If this doesn't work
you should get in contact with the wu-ftpd developers (a quick
test on my system failed)-:
IMO there is no other possibility to chroot for an other user
than (anonymous) ftp.
0
 
mgrcnkCommented:
I guess my last comment never made it through.  I needed you to post /etc/ftpaccess (which you already did) as well as any entry from /etc/passwd (you can change the password field).

Anyways, don't bother posting it, here is what I would be looking for:

lancastj:x:4048:1:Timothy J Lancaster:/Users/class97/lancastj:/bin/tcsh

When this user ftp's to our systems, his home directory will be /Users/class97/lancastj.  There is no way (that I know of) to override this for normal users (without modifying the source code).

So, check your entries in /etc/passwd and make sure they show the home directory that you want.  I hope this helps.

chris

0
 
ahoffmannCommented:
After reading mgrcnk answer I'm no longer shure if I had understood the question.
I thought the goal should be that a user's home directory should be the one specified in /etc/passwd  **and**  ftp's pwd command should report / (in this directory) if the user logs in via ftp, means that she cannot do a  "cd .." out of the home directory.
The only way to do this with wu-ftpd is (using mgrcnk example):

/etc/passwd
lancastj:x:4048:1:Timothy J Lancaster:/Users/class97/./lancastj:/bin/tcsh

/etc/group
user:x:1:

/etc/ftpaccess
guestgroup user
0
 
mgrcnkCommented:
After reading ahoffman's response, I am unsure of the question myself.  I thought your users were not getting the home directory you wanted them to get.  This is controlled in /etc/passwd.  However, if you want their home directory to be as ahoffman said "that she cannot do a "cd .." out of the home directory", then I cannot help you.

chris
0
 
SunilAuthor Commented:
Hi everyone....

What i want is for when users to log via ftp, i want their home directory to be /

I hope somone can help.

Thanks.



Here is a copy of the group file:
**************
wheel:*:0:root
daemon:*:1:daemon
kmem:*:2:root
sys:*:3:root
tty:*:4:root
operator:*:5:root
uucp:*:6:
bin:*:7:
news:*:8:
utmp:*:12:
games:*:13:
mail:*:14:
staff:*:20:root
bsdi:*:30:
www:*:84:
maxim:*:85:
user:*:100:
dialer:*:117:
netdial:*:118:
nogroup:*:32766:


Here is a copy of the passwd file:
****************************
root:*:0:0:System Administrator:/root:/bin/csh
daemon:*:1:1:System Daemon:/:/sbin/nologin
sys:*:2:2:Operating System:/tmp:/sbin/nologin
bin:*:3:7:BSDI Software:/usr/bsdi:/sbin/nologin
operator:*:5:5:System Operator:/usr/opr:/sbin/nologin
uucp:*:6:6:UNIX-to-UNIX Copy:/var/spool/uucppublic:/usr/libexec/uucico
games:*:7:13:Games Pseudo-user:/usr/games:/sbin/nologin
news:*:9:8:USENET News,,,:/var/news/etc:/sbin/nologin
demo:*:10:13:Demo User:/usr/demo:/sbin/nologin
www:*:51:84:WWW-server:/var/www:/sbin/nologin
sysop:*:100:0:,,,:/usr/home/sysop:/bin/bash
au:*:101:0:,,,:/usr/home/au:/bin/bash
ops:*:102:0:,,,:/usr/home/ops:/bin/bash
ftp:*:108:84:,,,:/var/www/docs/ftp:/bin/bash
blackrhythm:*:109:100:,,,:/var/www/docs/blackrhythm:/bin/bash
infostream:*:110:100:,,,:/usr/home/infostream:/bin/bash
albert:*:111:100:,,,:/usr/home/albert:/bin/bash
glen:*:112:100:,,,:/usr/mail/glen:/bin/bash
jack:*:113:100:,,,:/usr/mail/jack:/bin/bash
predator:*:114:100:,,,:/usr/home/predator:/bin/bash
brainbug:*:115:100:,,,:/usr/home/brainbug:/bin/bash
wsaa:*:116:100:,,,:/usr/home/wsaa:/bin/bash
awwa:*:117:100:,,,:/usr/home/awwa:/bin/bash
autobahn:*:118:100:,,,:/usr/home/autobahn:/bin/bash
animesh:*:121:100:,,,:/usr/mail/animesh:/bin/bash
flotech:*:122:100:,,,:/usr/mail/flotech:/bin/bash
mbates:*:123:100:,,,:/usr/mail/mbates:/bin/bash
sybil:*:124:100:,,,:/usr/mail/sybil:/bin/bash
jorourke:*:125:100:,,,:/usr/mail/jorourke:/bin/bash
joanne:*:126:100:,,,:/usr/mail/joanne:/bin/bash
david:*:127:100:,,,:/usr/mail/david:/bin/bash
nobody:*:32767:32766:Unprivileged user:/nonexistent:/sbin/nologin
nonroot:*:65534:32766:Non-root root user for NFS:/nonexistent:/sbin/nologin





0
 
ahoffmannCommented:
Hmm, the man-pages for ftpaccess states it all: chroot only for (anonymous) ftp or for those users in guestgroup. That's all.

Seems that you must patch the sources to satisfy your goal.

Sorry Achim
0
 
SunilAuthor Commented:
Dear ahoffmann,

My goal is to make the guestgroup users be CHROOTed.
My guestgroup is user
and all my users are part of this group.
I have just probably lest a small part out.
Could you please take another look at it.
I'm sure that I have just done something that is very minor wrong.

Thank you very much.



0
 
ahoffmannCommented:
Writing down my knowledge seems to be more difficult than speaking about :-)

Again: chroot of wu-ftp --this is the system call chroot()--  will only be done for the users mentioned in the man-pages (see my last comment).
There is also no possibility to cd automatically to a specific directory. Unfortunately ftp has its own shell, and so, does not perform any .profile, .cshrc or whatever.

In your case the user may simply call "cd /", is there any problem? If the root directory is a long pathname you may use the "cdpath ..." functionality in  /etc/ftpaccess.
Anything else must be programmed by yourself (IMO).
0
 
SunilAuthor Commented:
Hi...

I am sorry for not being very clear about what I require.
I do not need my users to be CD'd to another directory.
All I need is for there directory to become the root directory.
The purpose of this is to prevent users from going up a level in the directory structure.
As I mentioned earlier, My users are part of the guestgroup so I don't see any problem.

I would greatly appreciate it if you could review my config files again and see if there is a problem.

would it help if I setup a user for you on the system so you can log on and check everything you need to?

Thank you for all your help.

0
 
ahoffmannCommented:
> All I need is for there directory to become the root directory
Ok, this was in your initial question too, some comments made me confused @~)
The solution therefore should be the guestgroup (but it doesn't work at my site either). May be we trapped into a bug of wu-ftpd.
I think this needs further investigations, for example -d option to wu-ftpd and inspecting the sources. I'm too bussy for this at the moment, sorry.
0
 
1stomniCommented:
Hello,

I have a real easy solution for you.  I had the same question as you have and many other security issues with wu-ftpd.  After extensive evaluation we found a program called ncftpd.  It is great.  It can be installed and configured in 15 minutes, it is only $29, it supports virtual anonymous ftp sites with a config file almost exactly the same as appache and more.  I highly suggest changing to this software.  It is very reliable, very easy to configure and does everything you would ever want to do with FTP.  It is designed with ISP's in mind and can handle a much larger load with less resources than wu-ftpd

Good Luck

David
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 6
  • 6
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now