Solved

FTP and CHROOT

Posted on 1997-07-19
17
541 Views
Last Modified: 2011-01-17
Hello there,

I am trying to setup my BSDI 3.0 machine so that when my users log in there home directory becomes there root directory.
I tried the tutorial at ftp://ftp.fni.com/pub/wu-ftpd/guest-howto
but it didn't work. I am probably doing something worng but I don't know what.
All my users are part of the group called 'user'. Perhaps this is a problem?
Any help would be appreciated.
Thanks
0
Comment
Question by:Sunil
  • 6
  • 6
  • 4
  • +1
17 Comments
 
LVL 1

Expert Comment

by:mgrcnk
ID: 2006559
What exactly is the problem?  Can they not log in or is there home directory not automatically becoming their root directory?
0
 

Author Comment

by:Sunil
ID: 2006560
Sorry, I should have been more specific.
They can log in but their home directory is not the root directory.
Thankyou.
0
 
LVL 1

Expert Comment

by:mgrcnk
ID: 2006561
What version of wu-ftpd are you running?  What are they getting for their home directory?  Can you post your config files, please?

0
 

Author Comment

by:Sunil
ID: 2006562
Hi,
Thankyou for your prompt response..
Which config files do you need?
I think I am using version 2.4
When users log in they get their standrd home directory which is usually /usr/home/username.

Thanks for your help
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 2006563
Read the section about  guestgroup <groupname> [<groupname> ...]
in ftpaccess' man-page.
0
 

Author Comment

by:Sunil
ID: 2006564
Hi...

I had a quick look but could not understand it.
Here is a copy of my ftpaccess file:
**********
class   all   real,guest,anonymous  *

limit   all   10   Any              /etc/msgs/msg.dead

readme  README*    login
readme  README*    cwd=*

message /welcome.msg            login
message .message                cwd=*

compress        yes             local remote
tar             yes             local remote

log commands real
log transfers anonymous,real inbound,outbound

shutdown /etc/shutmsg
guestgroup user
email user@hostname


0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 2006565
The trick is the home-directory definition in /etc/passwd (see
/./) in conjunction with the guestgroup. If this doesn't work
you should get in contact with the wu-ftpd developers (a quick
test on my system failed)-:
IMO there is no other possibility to chroot for an other user
than (anonymous) ftp.
0
 
LVL 1

Expert Comment

by:mgrcnk
ID: 2006566
I guess my last comment never made it through.  I needed you to post /etc/ftpaccess (which you already did) as well as any entry from /etc/passwd (you can change the password field).

Anyways, don't bother posting it, here is what I would be looking for:

lancastj:x:4048:1:Timothy J Lancaster:/Users/class97/lancastj:/bin/tcsh

When this user ftp's to our systems, his home directory will be /Users/class97/lancastj.  There is no way (that I know of) to override this for normal users (without modifying the source code).

So, check your entries in /etc/passwd and make sure they show the home directory that you want.  I hope this helps.

chris

0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 2006567
After reading mgrcnk answer I'm no longer shure if I had understood the question.
I thought the goal should be that a user's home directory should be the one specified in /etc/passwd  **and**  ftp's pwd command should report / (in this directory) if the user logs in via ftp, means that she cannot do a  "cd .." out of the home directory.
The only way to do this with wu-ftpd is (using mgrcnk example):

/etc/passwd
lancastj:x:4048:1:Timothy J Lancaster:/Users/class97/./lancastj:/bin/tcsh

/etc/group
user:x:1:

/etc/ftpaccess
guestgroup user
0
 
LVL 1

Expert Comment

by:mgrcnk
ID: 2006568
After reading ahoffman's response, I am unsure of the question myself.  I thought your users were not getting the home directory you wanted them to get.  This is controlled in /etc/passwd.  However, if you want their home directory to be as ahoffman said "that she cannot do a "cd .." out of the home directory", then I cannot help you.

chris
0
 

Author Comment

by:Sunil
ID: 2006569
Hi everyone....

What i want is for when users to log via ftp, i want their home directory to be /

I hope somone can help.

Thanks.



Here is a copy of the group file:
**************
wheel:*:0:root
daemon:*:1:daemon
kmem:*:2:root
sys:*:3:root
tty:*:4:root
operator:*:5:root
uucp:*:6:
bin:*:7:
news:*:8:
utmp:*:12:
games:*:13:
mail:*:14:
staff:*:20:root
bsdi:*:30:
www:*:84:
maxim:*:85:
user:*:100:
dialer:*:117:
netdial:*:118:
nogroup:*:32766:


Here is a copy of the passwd file:
****************************
root:*:0:0:System Administrator:/root:/bin/csh
daemon:*:1:1:System Daemon:/:/sbin/nologin
sys:*:2:2:Operating System:/tmp:/sbin/nologin
bin:*:3:7:BSDI Software:/usr/bsdi:/sbin/nologin
operator:*:5:5:System Operator:/usr/opr:/sbin/nologin
uucp:*:6:6:UNIX-to-UNIX Copy:/var/spool/uucppublic:/usr/libexec/uucico
games:*:7:13:Games Pseudo-user:/usr/games:/sbin/nologin
news:*:9:8:USENET News,,,:/var/news/etc:/sbin/nologin
demo:*:10:13:Demo User:/usr/demo:/sbin/nologin
www:*:51:84:WWW-server:/var/www:/sbin/nologin
sysop:*:100:0:,,,:/usr/home/sysop:/bin/bash
au:*:101:0:,,,:/usr/home/au:/bin/bash
ops:*:102:0:,,,:/usr/home/ops:/bin/bash
ftp:*:108:84:,,,:/var/www/docs/ftp:/bin/bash
blackrhythm:*:109:100:,,,:/var/www/docs/blackrhythm:/bin/bash
infostream:*:110:100:,,,:/usr/home/infostream:/bin/bash
albert:*:111:100:,,,:/usr/home/albert:/bin/bash
glen:*:112:100:,,,:/usr/mail/glen:/bin/bash
jack:*:113:100:,,,:/usr/mail/jack:/bin/bash
predator:*:114:100:,,,:/usr/home/predator:/bin/bash
brainbug:*:115:100:,,,:/usr/home/brainbug:/bin/bash
wsaa:*:116:100:,,,:/usr/home/wsaa:/bin/bash
awwa:*:117:100:,,,:/usr/home/awwa:/bin/bash
autobahn:*:118:100:,,,:/usr/home/autobahn:/bin/bash
animesh:*:121:100:,,,:/usr/mail/animesh:/bin/bash
flotech:*:122:100:,,,:/usr/mail/flotech:/bin/bash
mbates:*:123:100:,,,:/usr/mail/mbates:/bin/bash
sybil:*:124:100:,,,:/usr/mail/sybil:/bin/bash
jorourke:*:125:100:,,,:/usr/mail/jorourke:/bin/bash
joanne:*:126:100:,,,:/usr/mail/joanne:/bin/bash
david:*:127:100:,,,:/usr/mail/david:/bin/bash
nobody:*:32767:32766:Unprivileged user:/nonexistent:/sbin/nologin
nonroot:*:65534:32766:Non-root root user for NFS:/nonexistent:/sbin/nologin





0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 2006570
Hmm, the man-pages for ftpaccess states it all: chroot only for (anonymous) ftp or for those users in guestgroup. That's all.

Seems that you must patch the sources to satisfy your goal.

Sorry Achim
0
 

Author Comment

by:Sunil
ID: 2006571
Dear ahoffmann,

My goal is to make the guestgroup users be CHROOTed.
My guestgroup is user
and all my users are part of this group.
I have just probably lest a small part out.
Could you please take another look at it.
I'm sure that I have just done something that is very minor wrong.

Thank you very much.



0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 2006572
Writing down my knowledge seems to be more difficult than speaking about :-)

Again: chroot of wu-ftp --this is the system call chroot()--  will only be done for the users mentioned in the man-pages (see my last comment).
There is also no possibility to cd automatically to a specific directory. Unfortunately ftp has its own shell, and so, does not perform any .profile, .cshrc or whatever.

In your case the user may simply call "cd /", is there any problem? If the root directory is a long pathname you may use the "cdpath ..." functionality in  /etc/ftpaccess.
Anything else must be programmed by yourself (IMO).
0
 

Author Comment

by:Sunil
ID: 2006573
Hi...

I am sorry for not being very clear about what I require.
I do not need my users to be CD'd to another directory.
All I need is for there directory to become the root directory.
The purpose of this is to prevent users from going up a level in the directory structure.
As I mentioned earlier, My users are part of the guestgroup so I don't see any problem.

I would greatly appreciate it if you could review my config files again and see if there is a problem.

would it help if I setup a user for you on the system so you can log on and check everything you need to?

Thank you for all your help.

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 2006574
> All I need is for there directory to become the root directory
Ok, this was in your initial question too, some comments made me confused @~)
The solution therefore should be the guestgroup (but it doesn't work at my site either). May be we trapped into a bug of wu-ftpd.
I think this needs further investigations, for example -d option to wu-ftpd and inspecting the sources. I'm too bussy for this at the moment, sorry.
0
 

Accepted Solution

by:
1stomni earned 130 total points
ID: 2006575
Hello,

I have a real easy solution for you.  I had the same question as you have and many other security issues with wu-ftpd.  After extensive evaluation we found a program called ncftpd.  It is great.  It can be installed and configured in 15 minutes, it is only $29, it supports virtual anonymous ftp sites with a config file almost exactly the same as appache and more.  I highly suggest changing to this software.  It is very reliable, very easy to configure and does everything you would ever want to do with FTP.  It is designed with ISP's in mind and can handle a much larger load with less resources than wu-ftpd

Good Luck

David
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now