LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-07-2005, 08:42 AM   #1
jasonnth
LQ Newbie
 
Registered: Oct 2005
Posts: 6

Rep: Reputation: 0
ftp to linux server


how come when i ftp to a linux server, i cannot change the path of the server?
is this normal?

Other UX boxes, i can change the directory during a ftp session but not this
 
Old 10-07-2005, 09:26 AM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,578
Blog Entries: 14

Rep: Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969
You might be logging into a server that has ftp "jailed" with chroot.

For security many admins (if they allow FTP at all instead of scp/sftp) will restrict access of the ftp login using a "jail". This makes use of the chroot command that essentially tells an account that its home should be viewed as its root. In such a setup you can only do cd to subdirectories of the jail but not to parents.

If this is the case then when you login as ftp it should return "/" when you type "pwd". Even though the directory may really be something like /home/ftpuser you'll never it see it that way if it has been jailed.
 
Old 10-10-2005, 05:17 AM   #3
jasonnth
LQ Newbie
 
Registered: Oct 2005
Posts: 6

Original Poster
Rep: Reputation: 0
thanks for the reply

is this jailed configuration system wide or profile specific?

can i change it within my own profile, i do have root access thru sesu
 
Old 10-10-2005, 11:02 AM   #4
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,578
Blog Entries: 14

Rep: Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969
For ftp I've done it was user specific. Actually I should say it was group specific - we'd add the users to a specific group which we'd allowed access to in our /etc/ftpaccess file. That was HP-UX (Unix) rather than Linux.

On my Debian Linux I see there is an /etc/ftpchroot file that mentions an ftpchroot man page. There is also an /etc/ftpusers file.

On my Redhat EL AS 3 these files do not exist. However the ftpd (8) man page does talk about chroot setup.

Probably best to have a look at your distro's man pagess for ftp and ftpd and also do ls -l /etc/ftp* to see if there are any existing config files there.

As intimated before I'm not allowing ftp on any of the Linux servers (or any NEW ftp users on HP-UX or BSD) because we decided to enforce use of scp/sftp instead of ftp (as well as ssh instead of telnet). Unfortunately since we have some automated stuff in Production that was built with ftp we can't just turn off all access. Our intent is to turn it all off over time as we migrate those automated utilities. I'd highly recommend using scp/sftp unless you have a similar Production requirement.

chroot is not limited to ftp by the way. We have chroot'ed our DNS (named daemon) stuff as well. Even with scp/sftp it would be possible to do chroot to help enhance the security of the users beyond just the key setup allowed.
 
Old 10-10-2005, 11:21 AM   #5
murder
LQ Newbie
 
Registered: Aug 2005
Posts: 29

Rep: Reputation: 15
How do you "Jail" it to where they can only see to those certian folders?
 
Old 10-10-2005, 11:37 AM   #6
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,578
Blog Entries: 14

Rep: Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969
Jailing is done with the "chroot" command.

Do a "man chroot" for details.

As noted in prior post it appears Debian may have a special config for ftp chroot so doing "man ftpchroot" on some distros may find info.

If not then "man ftp" and/or "man ftpd" to see if there are any comments about chroot within them.

Generally speaking what you do is setup a directory that contains all the files the user would need to operate that becomes the root ("/") as perceived by that user on login. There are good exampels for named (DNS name daemon) you can google for DNS security for details:

Breifly it generally involves creating a directory and copying in key files into relative subdirectories of that (usually you'll copy in stuff from /etc to a subdirectory named etc for example). You then make sure these files ONLY have the information that user would need (for example although you'd copy in /etc/passwd you don't want to leave all the entries in the subdirectory etc/passwd - you only need the one for the user itself - you do this so that if a hacker DOES get in they can't get anywhere outside the directory and also can't get any benefit to getting that one passwd entry).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ftp from LInux to Serv-U ftp server problem csross Linux - General 2 11-07-2005 05:35 PM
best ftp server for linux mack4evr Linux - Software 3 08-08-2004 07:31 PM
linux ftp server shablul Linux - Newbie 4 03-20-2004 05:32 AM
ftp server behind linux box mafa Linux - Networking 5 09-29-2003 03:54 PM
Setup a linux server, DNS, WEB, FTP, and Mail Server Help watermelon_lee Linux - Networking 1 08-26-2003 04:09 AM


All times are GMT -5. The time now is 08:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration