LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-11-2002, 07:18 AM   #1
mattsavigear
LQ Newbie
 
Registered: Dec 2002
Posts: 7

Rep: Reputation: 0
Another vsftpd/chroot question


I'm currently using wu-ftpd to run a couple of services for my friends, basically each one is a mailing list and ftp archive. In order to avoid them messing with the system files (required because I'm running mail accounts as well), and to give a generally cleaner "interface", I have wu_ftpd chroot them to /home/<user>/ftp instead of the more usual /home/<user>. Each account has an otherwise empty ftp directory that thay can make as much mess as they like in.

Now, I don't like a few things about the way wu-ftpd works, and I'd like to migrate to vsftpd, however I can't see a way of getting it to chroot to /home/<user>/ftp for certain individuals.

Can it be done?

TIA,

Matt.
 
Old 12-11-2002, 01:07 PM   #2
mattsavigear
LQ Newbie
 
Registered: Dec 2002
Posts: 7

Original Poster
Rep: Reputation: 0
Having given it some thought, I don't know how /etc/passwd actually works. Can I just add a home directory entry along the lines of:

/home/<user>/ftp/./..

Thoughts?

Matt.
 
Old 12-11-2002, 01:18 PM   #3
moses
Senior Member
 
Registered: Sep 2002
Location: Arizona, US, Earth
Distribution: Slackware, (Non-Linux: Solaris 7,8,9; OSX; BeOS)
Posts: 1,152

Rep: Reputation: 46
I don't know how the ftp servers work, but as to /etc/passwd,
whatever you give as the home directory (usually /home/user),
when the user logs in, they'll start in that directory. So, if you
make the home directory /home/user/ftp in /etc/passwd, that's where
they'll start for login shells. Like I said, I'm not sure if that applies
to ftp servers as well.
make sure you use vipw to edit your /etc/passwd file
(man vipw)
 
Old 12-11-2002, 01:33 PM   #4
te_conway
Member
 
Registered: Apr 2001
Location: MA
Distribution: redhat 7.2
Posts: 182

Rep: Reputation: 30
From the config file
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of users to NOT chroot().
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
 
Old 12-11-2002, 01:36 PM   #5
mattsavigear
LQ Newbie
 
Registered: Dec 2002
Posts: 7

Original Poster
Rep: Reputation: 0
I know, but I don't want to chroot() to the home directory - that's easy. What I want to do is chroot to a _subdirectory_ of the home directory for ftp purposes only.
 
Old 12-11-2002, 06:45 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,987
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
manual for configfile, see passwd_chroot_enable.
 
Old 12-12-2002, 04:44 AM   #7
mattsavigear
LQ Newbie
 
Registered: Dec 2002
Posts: 7

Original Poster
Rep: Reputation: 0
I don't wish to sound ungrateful, but is anyone actually reading the question (other than moses)? I've read the manual, and I know how passwd_chroot_enable works, and it doesn't quite match my requirements as written. I've thought of a bit of a kludgy fix (see above) but I have no idea how dangerous it is to the rest of my system.
 
Old 12-12-2002, 06:47 AM   #8
te_conway
Member
 
Registered: Apr 2001
Location: MA
Distribution: redhat 7.2
Posts: 182

Rep: Reputation: 30
Your trying to do something with a normal user id it isn't designed for. Why would you want to keep users out of there home directory when they own it? Can't be security.
Any of your users could use telnet or ssh (if running) to get into the box. Anyone listening could do the same, I now I've been hacked.

You should have separate, no-shell accounts for ftp. Sorry if that doesn't answer your question but its the best advice I can give you.
 
Old 12-12-2002, 09:48 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,987
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
AFAIK, if you have a user who has a home def in passwd as $HOME/./somedir, the user will be chrooted to $HOME/somedir.
I tested this setup an it works, dunno if you even tried it.

Look for twoprocess.c: calculate_chdir_dir (loc_result = str_locate_text(&homedir_str, "/./"), also mentioned in Changelog: "Support wu-ftpd style per-user chroot() via /./ in /etc/passwd HOMEDIR".
 
Old 12-15-2002, 03:39 PM   #10
mattsavigear
LQ Newbie
 
Registered: Dec 2002
Posts: 7

Original Poster
Rep: Reputation: 0
Very valid points about bending the use for the system. I'm doing it because I need to run with valid mail accounts as well as an ftp repository. The users can't do anything else because they're explicitly locked out of ssh and so on.

In the end I just decide to bite the bullet and mangled the passwd file with:
/home/user/ftp/./../

Which seems to work just fine. So far. Heck, I have backups!

Thanks for the responses.

Matt.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftpd.conf/chroot/vsftpd.chroot_list issue Jerman Linux - Security 2 06-01-2007 07:24 PM
vsftpd and chroot bstempi Linux - Security 10 11-08-2005 02:56 PM
vsftpd and chroot gbj Linux - Networking 3 03-08-2005 02:47 AM
chroot problems and vsftpd noisybastard Linux - Networking 0 01-22-2004 03:28 PM
vsftpd chroot and Apache R4z0r Linux - Networking 1 09-19-2003 01:01 PM


All times are GMT -5. The time now is 03:20 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration