We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

FTP and CHROOT

Sunil
Sunil asked
on
Medium Priority
592 Views
Last Modified: 2011-01-17
Hello there,

I am trying to setup my BSDI 3.0 machine so that when my users log in there home directory becomes there root directory.
I tried the tutorial at ftp://ftp.fni.com/pub/wu-ftpd/guest-howto 
but it didn't work. I am probably doing something worng but I don't know what.
All my users are part of the group called 'user'. Perhaps this is a problem?
Any help would be appreciated.
Thanks
Comment
Watch Question

Commented:
What exactly is the problem?  Can they not log in or is there home directory not automatically becoming their root directory?

Author

Commented:
Sorry, I should have been more specific.
They can log in but their home directory is not the root directory.
Thankyou.

Commented:
What version of wu-ftpd are you running?  What are they getting for their home directory?  Can you post your config files, please?

Author

Commented:
Hi,
Thankyou for your prompt response..
Which config files do you need?
I think I am using version 2.4
When users log in they get their standrd home directory which is usually /usr/home/username.

Thanks for your help
Read the section about  guestgroup <groupname> [<groupname> ...]
in ftpaccess' man-page.

Author

Commented:
Hi...

I had a quick look but could not understand it.
Here is a copy of my ftpaccess file:
**********
class   all   real,guest,anonymous  *

limit   all   10   Any              /etc/msgs/msg.dead

readme  README*    login
readme  README*    cwd=*

message /welcome.msg            login
message .message                cwd=*

compress        yes             local remote
tar             yes             local remote

log commands real
log transfers anonymous,real inbound,outbound

shutdown /etc/shutmsg
guestgroup user
email user@hostname


The trick is the home-directory definition in /etc/passwd (see
/./) in conjunction with the guestgroup. If this doesn't work
you should get in contact with the wu-ftpd developers (a quick
test on my system failed)-:
IMO there is no other possibility to chroot for an other user
than (anonymous) ftp.

Commented:
I guess my last comment never made it through.  I needed you to post /etc/ftpaccess (which you already did) as well as any entry from /etc/passwd (you can change the password field).

Anyways, don't bother posting it, here is what I would be looking for:

lancastj:x:4048:1:Timothy J Lancaster:/Users/class97/lancastj:/bin/tcsh

When this user ftp's to our systems, his home directory will be /Users/class97/lancastj.  There is no way (that I know of) to override this for normal users (without modifying the source code).

So, check your entries in /etc/passwd and make sure they show the home directory that you want.  I hope this helps.

chris

After reading mgrcnk answer I'm no longer shure if I had understood the question.
I thought the goal should be that a user's home directory should be the one specified in /etc/passwd  **and**  ftp's pwd command should report / (in this directory) if the user logs in via ftp, means that she cannot do a  "cd .." out of the home directory.
The only way to do this with wu-ftpd is (using mgrcnk example):

/etc/passwd
lancastj:x:4048:1:Timothy J Lancaster:/Users/class97/./lancastj:/bin/tcsh

/etc/group
user:x:1:

/etc/ftpaccess
guestgroup user

Commented:
After reading ahoffman's response, I am unsure of the question myself.  I thought your users were not getting the home directory you wanted them to get.  This is controlled in /etc/passwd.  However, if you want their home directory to be as ahoffman said "that she cannot do a "cd .." out of the home directory", then I cannot help you.

chris

Author

Commented:
Hi everyone....

What i want is for when users to log via ftp, i want their home directory to be /

I hope somone can help.

Thanks.



Here is a copy of the group file:
**************
wheel:*:0:root
daemon:*:1:daemon
kmem:*:2:root
sys:*:3:root
tty:*:4:root
operator:*:5:root
uucp:*:6:
bin:*:7:
news:*:8:
utmp:*:12:
games:*:13:
mail:*:14:
staff:*:20:root
bsdi:*:30:
www:*:84:
maxim:*:85:
user:*:100:
dialer:*:117:
netdial:*:118:
nogroup:*:32766:


Here is a copy of the passwd file:
****************************
root:*:0:0:System Administrator:/root:/bin/csh
daemon:*:1:1:System Daemon:/:/sbin/nologin
sys:*:2:2:Operating System:/tmp:/sbin/nologin
bin:*:3:7:BSDI Software:/usr/bsdi:/sbin/nologin
operator:*:5:5:System Operator:/usr/opr:/sbin/nologin
uucp:*:6:6:UNIX-to-UNIX Copy:/var/spool/uucppublic:/usr/libexec/uucico
games:*:7:13:Games Pseudo-user:/usr/games:/sbin/nologin
news:*:9:8:USENET News,,,:/var/news/etc:/sbin/nologin
demo:*:10:13:Demo User:/usr/demo:/sbin/nologin
www:*:51:84:WWW-server:/var/www:/sbin/nologin
sysop:*:100:0:,,,:/usr/home/sysop:/bin/bash
au:*:101:0:,,,:/usr/home/au:/bin/bash
ops:*:102:0:,,,:/usr/home/ops:/bin/bash
ftp:*:108:84:,,,:/var/www/docs/ftp:/bin/bash
blackrhythm:*:109:100:,,,:/var/www/docs/blackrhythm:/bin/bash
infostream:*:110:100:,,,:/usr/home/infostream:/bin/bash
albert:*:111:100:,,,:/usr/home/albert:/bin/bash
glen:*:112:100:,,,:/usr/mail/glen:/bin/bash
jack:*:113:100:,,,:/usr/mail/jack:/bin/bash
predator:*:114:100:,,,:/usr/home/predator:/bin/bash
brainbug:*:115:100:,,,:/usr/home/brainbug:/bin/bash
wsaa:*:116:100:,,,:/usr/home/wsaa:/bin/bash
awwa:*:117:100:,,,:/usr/home/awwa:/bin/bash
autobahn:*:118:100:,,,:/usr/home/autobahn:/bin/bash
animesh:*:121:100:,,,:/usr/mail/animesh:/bin/bash
flotech:*:122:100:,,,:/usr/mail/flotech:/bin/bash
mbates:*:123:100:,,,:/usr/mail/mbates:/bin/bash
sybil:*:124:100:,,,:/usr/mail/sybil:/bin/bash
jorourke:*:125:100:,,,:/usr/mail/jorourke:/bin/bash
joanne:*:126:100:,,,:/usr/mail/joanne:/bin/bash
david:*:127:100:,,,:/usr/mail/david:/bin/bash
nobody:*:32767:32766:Unprivileged user:/nonexistent:/sbin/nologin
nonroot:*:65534:32766:Non-root root user for NFS:/nonexistent:/sbin/nologin





Hmm, the man-pages for ftpaccess states it all: chroot only for (anonymous) ftp or for those users in guestgroup. That's all.

Seems that you must patch the sources to satisfy your goal.

Sorry Achim

Author

Commented:
Dear ahoffmann,

My goal is to make the guestgroup users be CHROOTed.
My guestgroup is user
and all my users are part of this group.
I have just probably lest a small part out.
Could you please take another look at it.
I'm sure that I have just done something that is very minor wrong.

Thank you very much.



Writing down my knowledge seems to be more difficult than speaking about :-)

Again: chroot of wu-ftp --this is the system call chroot()--  will only be done for the users mentioned in the man-pages (see my last comment).
There is also no possibility to cd automatically to a specific directory. Unfortunately ftp has its own shell, and so, does not perform any .profile, .cshrc or whatever.

In your case the user may simply call "cd /", is there any problem? If the root directory is a long pathname you may use the "cdpath ..." functionality in  /etc/ftpaccess.
Anything else must be programmed by yourself (IMO).

Author

Commented:
Hi...

I am sorry for not being very clear about what I require.
I do not need my users to be CD'd to another directory.
All I need is for there directory to become the root directory.
The purpose of this is to prevent users from going up a level in the directory structure.
As I mentioned earlier, My users are part of the guestgroup so I don't see any problem.

I would greatly appreciate it if you could review my config files again and see if there is a problem.

would it help if I setup a user for you on the system so you can log on and check everything you need to?

Thank you for all your help.

> All I need is for there directory to become the root directory
Ok, this was in your initial question too, some comments made me confused @~)
The solution therefore should be the guestgroup (but it doesn't work at my site either). May be we trapped into a bug of wu-ftpd.
I think this needs further investigations, for example -d option to wu-ftpd and inspecting the sources. I'm too bussy for this at the moment, sorry.
Commented:
Hello,

I have a real easy solution for you.  I had the same question as you have and many other security issues with wu-ftpd.  After extensive evaluation we found a program called ncftpd.  It is great.  It can be installed and configured in 15 minutes, it is only $29, it supports virtual anonymous ftp sites with a config file almost exactly the same as appache and more.  I highly suggest changing to this software.  It is very reliable, very easy to configure and does everything you would ever want to do with FTP.  It is designed with ISP's in mind and can handle a much larger load with less resources than wu-ftpd

Good Luck

David

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.