LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 01-29-2004, 12:21 AM   #1
bstempi
LQ Newbie
 
Registered: Feb 2003
Location: Horsham, PA
Posts: 28

Rep: Reputation: 15
vsftpd and chroot


Here's my situation:

I'm running redhat 9. along with vsftpd, i'm running httpd samba, and a telnet server. I have certain hard disks just for the samba shares. What i wanted to do was make links in my user's home dirs to allow them to ge to these shares.

Right now, everyone is chrooted to their home dirs for security reasons. I refuse to even think about letting them out.

The other option i found was to just change their home dir to these shares. personally, i think this is retarted and lazy. it doens't solve the problem if you have multiple shares, and it forces everyone into one big orgy of files that may belong to other users.

From what i read, because i chrooted all users to their home dir, i can't use sym link to give them access to other folders.

how do i users the ability to go to other folders that aren't actually in their home? thank you all for your time.
~Brian
 
Old 01-29-2004, 06:11 AM   #2
ugob
Member
 
Registered: Nov 2003
Distribution: RH, Fedora, Debian, Knoppix
Posts: 436

Rep: Reputation: 31
hmm, that's against the definition of chroot.

btw, why don't you use ssh instead of telnet?
 
Old 01-29-2004, 06:14 AM   #3
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
That's truly against the definition of chroot. There was a chroot bug in MySQL 3.x that demonstrates that ...
 
Old 01-29-2004, 10:51 PM   #4
bstempi
LQ Newbie
 
Registered: Feb 2003
Location: Horsham, PA
Posts: 28

Original Poster
Rep: Reputation: 15
Well, the reason i use telnet is to that if i need to access my server settings (god forbid) i can do it on the fly without the need to download an ssh client (i don't know that much about ssh, and from what i've seen, you need a client to connect....correct me if i'm wrong). How else can i keep a user traped in a home dir and give them access to other files such as my mnt dir? is there anyway to trap a user in a dir without chroot then?
 
Old 01-29-2004, 10:54 PM   #5
bstempi
LQ Newbie
 
Registered: Feb 2003
Location: Horsham, PA
Posts: 28

Original Poster
Rep: Reputation: 15
oh, and btw (not to be rood)....just telling me that what i want to do is against chroot isn't really that helpful...it solves nothing and leaves me with nothing that will help me solve this problem. i wish that the feed back had been a little better, ie. "that's against chroot, but you can...." or "well, the alternative would be...." It's totally useless to just post "oh, that won't work" if you don't give any direction
 
Old 01-29-2004, 11:30 PM   #6
ugob
Member
 
Registered: Nov 2003
Distribution: RH, Fedora, Debian, Knoppix
Posts: 436

Rep: Reputation: 31
One clear answer: type putty in google, download the putty ssh client, and use it.

It is just as telnet, but encrypted. Putty is a simple executable, small, and easy to use. And there is usually a ssh client and server on every linux distro, installed by default. I don't think there is a good reason to use telnet, especially for admin tasks, where you must login as root.

Second answer: chrooting is allowing a user to see only his chroot and below. He has not even the knowledge of the rest.

Have you read this? http://www.die.net/doc/linux/man/man...pd.conf.5.html This is the config file for vsftpd. All the available configs are in there. I can't find anything to help you there.

I don't want to be rude either, but we don't waste our time telling people that something is impossible. If we had known any solution, we would have told you.

Saying that it is against chroot's definition is a simple and gentle way to say that it is not feasible, considering the facts you provided us with and whatever other facts that we could have tought of.

hth
 
Old 01-30-2004, 10:18 AM   #7
bstempi
LQ Newbie
 
Registered: Feb 2003
Location: Horsham, PA
Posts: 28

Original Poster
Rep: Reputation: 15
well, i think i made it clear what i want to do. I want the user to be kept in a certain dir, while allowing them acces to certain folders outside of their home dir. is there any way to do this (wether it uses chroot or not)? the reason i'm asking is because while on other ftp sites (mainly those who distribute redhat linux), i noticed that some of the folders aren't really folders, but some type of shortcut or link. I find it hard to believe that the concept of what i'm describing is totally feasible.
 
Old 01-30-2004, 01:09 PM   #8
bstempi
LQ Newbie
 
Registered: Feb 2003
Location: Horsham, PA
Posts: 28

Original Poster
Rep: Reputation: 15
correction on my last post: I find it hard to believe that the concept of what i'm talking about is NOT feasible
 
Old 01-30-2004, 07:17 PM   #9
ugob
Member
 
Registered: Nov 2003
Distribution: RH, Fedora, Debian, Knoppix
Posts: 436

Rep: Reputation: 31
if you use a symlink that is outside of your chroot, you cannot access it.

On redhat's site when you access it, you are chrooted as the anonymous user. The symlinks are within your chrooted environment, hence it is possible.

The only way I think you can achieve what you want is to remove your chroot and set correct permission.

Or maybe set a chroot on the same directory for all users, creating sub-directories for each one. I am not sure if it is possible though.
 
Old 02-18-2004, 01:53 PM   #10
skwirlmaster
LQ Newbie
 
Registered: Feb 2004
Distribution: Debian
Posts: 1

Rep: Reputation: 0
Possible Solutions

So what you are saying is that you want the User to *ONLY* have access to their home directories, but you want them to *ALSO* have access to samba shares.

What you are asking for is impossible under chroot. Chroot makes it so the all the filesystem a user sees is is the Jail, reaching beyond the jail is not allowed which is why a symlink won't work.

However, what you want is user security while allowing access to certain files:
You can just do a hell of a job securing your regular filesystem Hierarchy, really limit what a user can see and do.

You can run samba and a simplified version of the dir hierarchy in your chroot environment.

You can run a Usermode Linux Kernel/system so your users don't directly log into your system, they log into a virtual system. Security is better than chrooting, and you could run samba on the same virtual maching giving access.
 
Old 11-08-2005, 03:56 PM   #11
ewookie
LQ Newbie
 
Registered: Nov 2005
Posts: 1

Rep: Reputation: 0
chroot security concerns

i'd like to be able to do what bstempi is describing also. however, i've been studying the problem for a couple days now and i have pretty much reached the same conclusions skwirlmaster put forth. so why am i posting, you might ask?

well, this discussion reminds me of an itching, burning sensation that's been troubling my mind reading the vsftpd.conf man page, it says that chrooting users is a security risk. to me (yes, i'm a *nix novice), this is counter-intuitive. i would think 'jail'ing or locking a user into their home directory so that they can access nothing else...is pretty darn secure. can someone explain how chroot-jailing users is a security risk? tia!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftpd + chroot problem bzolnowski Linux - Networking 10 07-23-2011 03:59 PM
vsftpd.conf/chroot/vsftpd.chroot_list issue Jerman Linux - Security 2 06-01-2007 08:24 PM
vsftpd and chroot gbj Linux - Networking 3 03-08-2005 03:47 AM
vsftpd chroot problems illuminatedwax Linux - Software 0 12-17-2004 11:01 PM
Help with chroot jail - vsFTPd r042wal Linux - Software 1 06-05-2003 05:21 PM


All times are GMT -5. The time now is 03:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration