ftpd Server question...

Greetings

 I have a ftpd server setup on a customers box running linux 5.2, and they're not ready to change any software yet.  I have created a handful of FTP users.  Each user is a member of the same "FTP" group.  When each respective user logs in, they chroot to their home ftp directory.  I noticed that one user can change into another user's directory and other "sensitive" areas of the filesystem.  How do I restrict each user from having this ability.  I want them to be restricted to their respective home FTP directories.  Thankx ahead for any help.......

Nat
toolminatorAsked:
Who is Participating?
 
jyu_88Commented:
You will need to set it up so that 'chroot' really happens. If chroot is configured to user's home, they will see /home/user1 as / when they ftp in.

How-to set chroot for user depends on which ftp server you are running:

with wu-ftpd, you'd need to add 'ftp' group to /etc/ftpgroups. then change user's home dir as '/home/user/./' or alike. the . will be the chroot point.
'usermod -d newHomeDir user'. man ftpd for more details.

with proftpd, it is quite simple, just enable "DefaultRoot  ~" in /etc/proftpd.conf

0
 
toolminatorAuthor Commented:
Adjusted points from 100 to 1000
0
 
toolminatorAuthor Commented:
First off , thankx for responding back.....

I've read the notes on wuftpd and proftpd (which looked really appealing, but software updates aren't an option at the moment), but they're using the ftpd that came with the redhat distribution cd.  I believe it was just called ftpd.

Nat
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
modulusCommented:
Don't allow the users to use chroot!.  It should be restricted to superuser/root only.  The chroot should be done by the server.  I've only done this for wu-ftpd, but I'm sure there's similar functionality in all other servers. Look for information about "virtual domains" for your particular server.  You add the user/guest to a /virtual/domainX.com/etc/ftpaccess list and then in a /virtual/domainX.com/etc/passwd specify the chroot dir and the starting home dir

Check the manual pages at: http://www.landfield.com/wu-ftpd
Relevant excerpt:

The user's home directory must be properly set  up,  exactly
     as  anonymous FTP would be.  The home directory field of the
     passwd entry is divided into  two  directories.   The  first
     field  is  the  root directory which will be the argument to
     the chroot(2) call.  The second  half  is  the  user's  home
     directory  relative  to  the root directory.  The two halves
     are separated by a "/./".

     Example:
     in /etc/passwd, the real entry:

     guest1:<passwd>:100:92:Guest Account:/ftp/./incoming:/etc/ftponly
     When guest1 successfully logs in, the ftp  server  will  )""
     chroot("/ftp")  and  then )"" chdir("/incoming") . The guest
     user will only be able to  access  the  directory  structure
     under /ftp (which will look and act as / to guest1), just as
     an anonymous FTP user would.
0
 
jyu_88Commented:
ftpd comes with RedHat is wu-ftpd. so just follow the info I gave above to configure chroot for users in 'ftp' group. add 'ftp' to /etc/ftpgroups, then change users home dir to special format with the '.'.

modulus, what you are talking about 'not letting users to use chroot?' wu-ftpd server will handle the chroot.
0
 
toolminatorAuthor Commented:
Be back shortly, trying it out now....

Thanks for the input!!!!!!!!!!

me
0
 
modulusCommented:
jyu_88,
reading his question it seemed that he was talking about letting the _user_ run chroot, whereas one wants the _server_ to execute chroot.  A big difference don't you think? Like I said "The
                 chroot should be done by the server" and like you said "wu-ftpd server
                 will handle the chroot."  So it seems we are in agreement, no?
best wishes,
modulus
0
 
toolminatorAuthor Commented:
Hmmmmmmmmmmm.....

Still letting the person drop down directories... Bummer...
But I did go and grab the proftpd as a backup plan, much more straight forward!!! And it works!!! Bonus points... Guess they're just gonna have to deal with having new software....

Thankx big time for the input... A huge help as usual....

Nat
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.