[techtalk] FTP & chroot

Sheryl Weidner saska at noogie.com
Tue Aug 15 15:04:57 EST 2000 

For others on the list, I've included Harald's reply and my follow-up
solution, in case anybody else wanted the full answer (thanks Harald!)

> > I'm running wu-ftpd on a RedHat Linux system and have a directory that
> 
> Well... I'm certainly no wuftp fan (proftpd rules!)...

Can't disagree with you there. :)  Also can't convince my consulting
customer to change based on my opinion; hence stuck. :)
 
> > Someone else with access to the system and the authority to sign my
> > invoices (mutter, mutter) changed the ownership of that directory and then
> > later decided that he wanted to re-enabled the authentication process.  
> > Now he is complaining that when he logs in as that user, he can change
> > directories to the local system (e.g. cd /), like any normal user
> > (although he has no shell access and gets the proper "access denied" error
> > on important files like /etc/shadow). He doesn't remember what all he
> > changed in fiddling with the system, so I'm hoping someone out there can
> > tell me how I can get this chroot status back in order to make him happy.
> 
> So You want to do a chroot() to the users homedir? This is relatively easy,
> although there are some general requirements to do chroot() with a ftp-daemon
> which relies on external /bin/ls, etc.
> 
> Just edit the home-directory entry in /etc/passwd to something like:
> 
> user:x:111:11:Foo Bar:/pub/ftp/./:/bin/false
> 
> You have two parts. The first one is the path to chroot() into.
> The second part (after the .) is the directory (relative to the first part)
> the user should land after logging in.

I should have been more clear in that I had gotten that far already; what
was happening was that the user would log in and *start* in the proper
directory, but had the ability to change directories up into the
root/system level (e.g. the user could browse /etc, /bin, /var, and so
on).

Although wu-ftpd allows for this chroot behavior, it does *not* allow for
that behavior unless the user is also a member of a group defined as FTP
guest accounts.  Since I had created the account with adduser and not
modified the wuftpd configuration, wuftp thought the user was a 'system'
user and therefore didn't enforce the chrooted access.

I used linuxconf (under network services) to add the GID of the user to
the list of "guest" users in wuftp, and it now works like a charm.
 
--
Saska - saska at noogie.com - http://www.noogie.com/~saska

"He's an affable enough screen presence, but you'd be 
affable too if you could generate a lucrative movie 
career by copulating with baked goods."
	-Paul Tatara on Jason Biggs

More information about the Techtalk mailing list