LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Another vsftpd/chroot question (http://www.linuxquestions.org/questions/linux-security-4/another-vsftpd-chroot-question-37978/)

mattsavigear 12-11-2002 07:18 AM

Another vsftpd/chroot question
 
I'm currently using wu-ftpd to run a couple of services for my friends, basically each one is a mailing list and ftp archive. In order to avoid them messing with the system files (required because I'm running mail accounts as well), and to give a generally cleaner "interface", I have wu_ftpd chroot them to /home/<user>/ftp instead of the more usual /home/<user>. Each account has an otherwise empty ftp directory that thay can make as much mess as they like in.

Now, I don't like a few things about the way wu-ftpd works, and I'd like to migrate to vsftpd, however I can't see a way of getting it to chroot to /home/<user>/ftp for certain individuals.

Can it be done?

TIA,

Matt.

mattsavigear 12-11-2002 01:07 PM

Having given it some thought, I don't know how /etc/passwd actually works. Can I just add a home directory entry along the lines of:

/home/<user>/ftp/./..

Thoughts?

Matt.

moses 12-11-2002 01:18 PM

I don't know how the ftp servers work, but as to /etc/passwd,
whatever you give as the home directory (usually /home/user),
when the user logs in, they'll start in that directory. So, if you
make the home directory /home/user/ftp in /etc/passwd, that's where
they'll start for login shells. Like I said, I'm not sure if that applies
to ftp servers as well.
make sure you use vipw to edit your /etc/passwd file
(man vipw)

te_conway 12-11-2002 01:33 PM

From the config file
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of users to NOT chroot().
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list

mattsavigear 12-11-2002 01:36 PM

I know, but I don't want to chroot() to the home directory - that's easy. What I want to do is chroot to a _subdirectory_ of the home directory for ftp purposes only.

unSpawn 12-11-2002 06:45 PM

manual for configfile, see passwd_chroot_enable.

mattsavigear 12-12-2002 04:44 AM

I don't wish to sound ungrateful, but is anyone actually reading the question (other than moses)? I've read the manual, and I know how passwd_chroot_enable works, and it doesn't quite match my requirements as written. I've thought of a bit of a kludgy fix (see above) but I have no idea how dangerous it is to the rest of my system.

te_conway 12-12-2002 06:47 AM

Your trying to do something with a normal user id it isn't designed for. Why would you want to keep users out of there home directory when they own it? Can't be security.
Any of your users could use telnet or ssh (if running) to get into the box. Anyone listening could do the same, I now I've been hacked.

You should have separate, no-shell accounts for ftp. Sorry if that doesn't answer your question but its the best advice I can give you.

unSpawn 12-12-2002 09:48 AM

AFAIK, if you have a user who has a home def in passwd as $HOME/./somedir, the user will be chrooted to $HOME/somedir.
I tested this setup an it works, dunno if you even tried it.

Look for twoprocess.c: calculate_chdir_dir (loc_result = str_locate_text(&homedir_str, "/./"), also mentioned in Changelog: "Support wu-ftpd style per-user chroot() via /./ in /etc/passwd HOMEDIR".

mattsavigear 12-15-2002 03:39 PM

Very valid points about bending the use for the system. I'm doing it because I need to run with valid mail accounts as well as an ftp repository. The users can't do anything else because they're explicitly locked out of ssh and so on.

In the end I just decide to bite the bullet and mangled the passwd file with:
/home/user/ftp/./../

Which seems to work just fine. So far. Heck, I have backups!

Thanks for the responses.

Matt.


All times are GMT -5. The time now is 04:49 AM.