LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   chroot not working. (https://www.linuxquestions.org/questions/linux-general-1/chroot-not-working-70190/)

dkc_ace 07-04-2003 10:10 PM

chroot not working.
 
ok i have tryed what is on this thread. http://www.linuxquestions.org/questi...961#post293961

but it will not work. all i want is to make it where one user cannot get to any other dir but its home dir. I have looked all over the man pages but i cant get it to work. i tryed chroot account /dir but that dont work. i am clueless. I tryed looking threw the search but i cant find anything except that thread and i cant seem to get it to work.

DavidPhillips 07-04-2003 10:50 PM

what's the error?

did you build a filesystem for the user?

in other words if you do chroot /foldername there must be a filesystem in /foldername

dkc_ace 07-04-2003 10:54 PM

Quote:

Originally posted by DavidPhillips
what's the error?

did you build a filesystem for the user?

in other words if you do chroot /foldername there must be a filesystem in /foldername

lol ok your talking over.

There is no error. It just dont work. such as if i login to the account it will not make it stay in its root dir. /ftp-data/church

It still has the ftp-data dir in the dir tree and i can view the whole tree. i want the account to not be able to see /ftp-data at all just the /church dir.

Dont have a clue what a filesystem is :).

DrOzz 07-04-2003 10:57 PM

what do you have specified as the DefaultRoot for the ftp?

dkc_ace 07-04-2003 11:02 PM

Quote:

Originally posted by dkc_ace
lol ok your talking over.

There is no error. It just dont work. such as if i login to the account it will not make it stay in its root dir. /ftp-data/church

It still has the ftp-data dir in the dir tree and i can view the whole tree. i want the account to not be able to see /ftp-data at all just the /church dir.

Dont have a clue what a filesystem is :).

here is my config.


# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
#local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
#write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=no
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES

listen=YES

dkc_ace 07-05-2003 08:56 AM

Quote:

Originally posted by DavidPhillips
what's the error?

did you build a filesystem for the user?

in other words if you do chroot /foldername there must be a filesystem in /foldername

Here is what i have done.

I went into vsftpd.conf looked for this.

chroot_list_enable=yes
chroot_list_file=/etc/vsftpd.chroot_list

said ok that looks fine. i then went into the /etc dir and made a file named /etc/vsftpd.chroot_list i add the account name to this file. restarted the vsftpd service and nothing happend.

dkc_ace 07-05-2003 09:37 AM

Quote:

Originally posted by dkc_ace
Here is what i have done.

I went into vsftpd.conf looked for this.

chroot_list_enable=yes
chroot_list_file=/etc/vsftpd.chroot_list

said ok that looks fine. i then went into the /etc dir and made a file named /etc/vsftpd.chroot_list i add the account name to this file. restarted the vsftpd service and nothing happend.

ok when i was doing all of this i was going threw the lan well when i decided to check if i could do it threw the WAN it give me the error: 425 Security: Bad IP connecting. It acts like it connects to the ftp server but i cant read files or anything.

UPDATE: I found out that if i change my ftp data connection mode to active mode it works perfectly. Now only thing i have to do is figure out this chroot.

dkc_ace 08-07-2003 08:20 PM

ummm still having this problem any takers?

dkc_ace 08-08-2003 08:31 PM

I hate to keep bumping this up but i have been working on this for like 2 days and still cant figure it out. Anyone?

unSpawn 08-13-2003 12:56 PM

Active mode is insecure, because this asks the server to set up a connection with the remote host. Not a big deal with Vsftpd, but you shouldn't open up security holes unnecessarily if you can avoid it. Go for passive mode. Firewall-wise speaking this means allowing initiating and related traffic from any remote address+unprivileged port to TCP/21, plus allowing initiating and related traffic from any remote address+unprivileged port to TCP/unprivileged ports (port range specified in the vsftpd.conf).

To allow a specific user chrooted access in general involves 4 files: 1 PAM config, 2 PAM login database files (text and db made with the db_load command) and the vsftpd.conf. You should read the Vsftpd docs that came with the installation because the /usrc/share/doc/vsftp/EXAMPLE/VIRTUAL_USERS/ dir contains an example you can use easily.

A few notes. Disable "anonymous_enable=YES" and uncomment "local_enable=YES" and "chroot_local_user=YES". Read the example dir I mentioned. If you set "chroot_local_user=YES", then you can comment out the "chroot_list" stuff as it will chroot any user mentioned in the login.db. Users not in the login.db are denied access.

HTH


All times are GMT -5. The time now is 04:04 AM.