Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
You might be logging into a server that has ftp "jailed" with chroot.
For security many admins (if they allow FTP at all instead of scp/sftp) will restrict access of the ftp login using a "jail". This makes use of the chroot command that essentially tells an account that its home should be viewed as its root. In such a setup you can only do cd to subdirectories of the jail but not to parents.
If this is the case then when you login as ftp it should return "/" when you type "pwd". Even though the directory may really be something like /home/ftpuser you'll never it see it that way if it has been jailed.
For ftp I've done it was user specific. Actually I should say it was group specific - we'd add the users to a specific group which we'd allowed access to in our /etc/ftpaccess file. That was HP-UX (Unix) rather than Linux.
On my Debian Linux I see there is an /etc/ftpchroot file that mentions an ftpchroot man page. There is also an /etc/ftpusers file.
On my Redhat EL AS 3 these files do not exist. However the ftpd (8) man page does talk about chroot setup.
Probably best to have a look at your distro's man pagess for ftp and ftpd and also do ls -l /etc/ftp* to see if there are any existing config files there.
As intimated before I'm not allowing ftp on any of the Linux servers (or any NEW ftp users on HP-UX or BSD) because we decided to enforce use of scp/sftp instead of ftp (as well as ssh instead of telnet). Unfortunately since we have some automated stuff in Production that was built with ftp we can't just turn off all access. Our intent is to turn it all off over time as we migrate those automated utilities. I'd highly recommend using scp/sftp unless you have a similar Production requirement.
chroot is not limited to ftp by the way. We have chroot'ed our DNS (named daemon) stuff as well. Even with scp/sftp it would be possible to do chroot to help enhance the security of the users beyond just the key setup allowed.
As noted in prior post it appears Debian may have a special config for ftp chroot so doing "man ftpchroot" on some distros may find info.
If not then "man ftp" and/or "man ftpd" to see if there are any comments about chroot within them.
Generally speaking what you do is setup a directory that contains all the files the user would need to operate that becomes the root ("/") as perceived by that user on login. There are good exampels for named (DNS name daemon) you can google for DNS security for details:
Breifly it generally involves creating a directory and copying in key files into relative subdirectories of that (usually you'll copy in stuff from /etc to a subdirectory named etc for example). You then make sure these files ONLY have the information that user would need (for example although you'd copy in /etc/passwd you don't want to leave all the entries in the subdirectory etc/passwd - you only need the one for the user itself - you do this so that if a hacker DOES get in they can't get anywhere outside the directory and also can't get any benefit to getting that one passwd entry).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.