Solved

ftpd Server question...

Posted on 2000-05-05
8
461 Views
Last Modified: 2012-05-04
Greetings

 I have a ftpd server setup on a customers box running linux 5.2, and they're not ready to change any software yet.  I have created a handful of FTP users.  Each user is a member of the same "FTP" group.  When each respective user logs in, they chroot to their home ftp directory.  I noticed that one user can change into another user's directory and other "sensitive" areas of the filesystem.  How do I restrict each user from having this ability.  I want them to be restricted to their respective home FTP directories.  Thankx ahead for any help.......

Nat
0
Comment
Question by:toolminator
  • 4
  • 2
  • 2
8 Comments
 

Author Comment

by:toolminator
Comment Utility
Adjusted points from 100 to 1000
0
 
LVL 3

Accepted Solution

by:
jyu_88 earned 1000 total points
Comment Utility
You will need to set it up so that 'chroot' really happens. If chroot is configured to user's home, they will see /home/user1 as / when they ftp in.

How-to set chroot for user depends on which ftp server you are running:

with wu-ftpd, you'd need to add 'ftp' group to /etc/ftpgroups. then change user's home dir as '/home/user/./' or alike. the . will be the chroot point.
'usermod -d newHomeDir user'. man ftpd for more details.

with proftpd, it is quite simple, just enable "DefaultRoot  ~" in /etc/proftpd.conf

0
 

Author Comment

by:toolminator
Comment Utility
First off , thankx for responding back.....

I've read the notes on wuftpd and proftpd (which looked really appealing, but software updates aren't an option at the moment), but they're using the ftpd that came with the redhat distribution cd.  I believe it was just called ftpd.

Nat
0
 
LVL 2

Expert Comment

by:modulus
Comment Utility
Don't allow the users to use chroot!.  It should be restricted to superuser/root only.  The chroot should be done by the server.  I've only done this for wu-ftpd, but I'm sure there's similar functionality in all other servers. Look for information about "virtual domains" for your particular server.  You add the user/guest to a /virtual/domainX.com/etc/ftpaccess list and then in a /virtual/domainX.com/etc/passwd specify the chroot dir and the starting home dir

Check the manual pages at: http://www.landfield.com/wu-ftpd
Relevant excerpt:

The user's home directory must be properly set  up,  exactly
     as  anonymous FTP would be.  The home directory field of the
     passwd entry is divided into  two  directories.   The  first
     field  is  the  root directory which will be the argument to
     the chroot(2) call.  The second  half  is  the  user's  home
     directory  relative  to  the root directory.  The two halves
     are separated by a "/./".

     Example:
     in /etc/passwd, the real entry:

     guest1:<passwd>:100:92:Guest Account:/ftp/./incoming:/etc/ftponly
     When guest1 successfully logs in, the ftp  server  will  )""
     chroot("/ftp")  and  then )"" chdir("/incoming") . The guest
     user will only be able to  access  the  directory  structure
     under /ftp (which will look and act as / to guest1), just as
     an anonymous FTP user would.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 3

Expert Comment

by:jyu_88
Comment Utility
ftpd comes with RedHat is wu-ftpd. so just follow the info I gave above to configure chroot for users in 'ftp' group. add 'ftp' to /etc/ftpgroups, then change users home dir to special format with the '.'.

modulus, what you are talking about 'not letting users to use chroot?' wu-ftpd server will handle the chroot.
0
 

Author Comment

by:toolminator
Comment Utility
Be back shortly, trying it out now....

Thanks for the input!!!!!!!!!!

me
0
 
LVL 2

Expert Comment

by:modulus
Comment Utility
jyu_88,
reading his question it seemed that he was talking about letting the _user_ run chroot, whereas one wants the _server_ to execute chroot.  A big difference don't you think? Like I said "The
                 chroot should be done by the server" and like you said "wu-ftpd server
                 will handle the chroot."  So it seems we are in agreement, no?
best wishes,
modulus
0
 

Author Comment

by:toolminator
Comment Utility
Hmmmmmmmmmmm.....

Still letting the person drop down directories... Bummer...
But I did go and grab the proftpd as a backup plan, much more straight forward!!! And it works!!! Bonus points... Guess they're just gonna have to deal with having new software....

Thankx big time for the input... A huge help as usual....

Nat
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now