Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm currently using wu-ftpd to run a couple of services for my friends, basically each one is a mailing list and ftp archive. In order to avoid them messing with the system files (required because I'm running mail accounts as well), and to give a generally cleaner "interface", I have wu_ftpd chroot them to /home/<user>/ftp instead of the more usual /home/<user>. Each account has an otherwise empty ftp directory that thay can make as much mess as they like in.
Now, I don't like a few things about the way wu-ftpd works, and I'd like to migrate to vsftpd, however I can't see a way of getting it to chroot to /home/<user>/ftp for certain individuals.
Distribution: Slackware, (Non-Linux: Solaris 7,8,9; OSX; BeOS)
Posts: 1,152
Rep:
I don't know how the ftp servers work, but as to /etc/passwd,
whatever you give as the home directory (usually /home/user),
when the user logs in, they'll start in that directory. So, if you
make the home directory /home/user/ftp in /etc/passwd, that's where
they'll start for login shells. Like I said, I'm not sure if that applies
to ftp servers as well.
make sure you use vipw to edit your /etc/passwd file
(man vipw)
From the config file
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of users to NOT chroot().
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
I know, but I don't want to chroot() to the home directory - that's easy. What I want to do is chroot to a _subdirectory_ of the home directory for ftp purposes only.
I don't wish to sound ungrateful, but is anyone actually reading the question (other than moses)? I've read the manual, and I know how passwd_chroot_enable works, and it doesn't quite match my requirements as written. I've thought of a bit of a kludgy fix (see above) but I have no idea how dangerous it is to the rest of my system.
Your trying to do something with a normal user id it isn't designed for. Why would you want to keep users out of there home directory when they own it? Can't be security.
Any of your users could use telnet or ssh (if running) to get into the box. Anyone listening could do the same, I now I've been hacked.
You should have separate, no-shell accounts for ftp. Sorry if that doesn't answer your question but its the best advice I can give you.
AFAIK, if you have a user who has a home def in passwd as $HOME/./somedir, the user will be chrooted to $HOME/somedir.
I tested this setup an it works, dunno if you even tried it.
Look for twoprocess.c: calculate_chdir_dir (loc_result = str_locate_text(&homedir_str, "/./"), also mentioned in Changelog: "Support wu-ftpd style per-user chroot() via /./ in /etc/passwd HOMEDIR".
Very valid points about bending the use for the system. I'm doing it because I need to run with valid mail accounts as well as an ftp repository. The users can't do anything else because they're explicitly locked out of ssh and so on.
In the end I just decide to bite the bullet and mangled the passwd file with:
/home/user/ftp/./../
Which seems to work just fine. So far. Heck, I have backups!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.