Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
12-11-2002, 08:18 AM
|
#1
|
LQ Newbie
Registered: Dec 2002
Posts: 7
Rep:
|
Another vsftpd/chroot question
I'm currently using wu-ftpd to run a couple of services for my friends, basically each one is a mailing list and ftp archive. In order to avoid them messing with the system files (required because I'm running mail accounts as well), and to give a generally cleaner "interface", I have wu_ftpd chroot them to /home/<user>/ftp instead of the more usual /home/<user>. Each account has an otherwise empty ftp directory that thay can make as much mess as they like in.
Now, I don't like a few things about the way wu-ftpd works, and I'd like to migrate to vsftpd, however I can't see a way of getting it to chroot to /home/<user>/ftp for certain individuals.
Can it be done?
TIA,
Matt.
|
|
|
12-11-2002, 02:07 PM
|
#2
|
LQ Newbie
Registered: Dec 2002
Posts: 7
Original Poster
Rep:
|
Having given it some thought, I don't know how /etc/passwd actually works. Can I just add a home directory entry along the lines of:
/home/<user>/ftp/./..
Thoughts?
Matt.
|
|
|
12-11-2002, 02:18 PM
|
#3
|
Senior Member
Registered: Sep 2002
Location: Arizona, US, Earth
Distribution: Slackware, (Non-Linux: Solaris 7,8,9; OSX; BeOS)
Posts: 1,152
Rep:
|
I don't know how the ftp servers work, but as to /etc/passwd,
whatever you give as the home directory (usually /home/user),
when the user logs in, they'll start in that directory. So, if you
make the home directory /home/user/ftp in /etc/passwd, that's where
they'll start for login shells. Like I said, I'm not sure if that applies
to ftp servers as well.
make sure you use vipw to edit your /etc/passwd file
(man vipw)
|
|
|
12-11-2002, 02:33 PM
|
#4
|
Member
Registered: Apr 2001
Location: MA
Distribution: redhat 7.2
Posts: 182
Rep:
|
From the config file
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of users to NOT chroot().
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
|
|
|
12-11-2002, 02:36 PM
|
#5
|
LQ Newbie
Registered: Dec 2002
Posts: 7
Original Poster
Rep:
|
I know, but I don't want to chroot() to the home directory - that's easy. What I want to do is chroot to a _subdirectory_ of the home directory for ftp purposes only.
|
|
|
12-11-2002, 07:45 PM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,415
|
manual for configfile, see passwd_chroot_enable.
|
|
|
12-12-2002, 05:44 AM
|
#7
|
LQ Newbie
Registered: Dec 2002
Posts: 7
Original Poster
Rep:
|
I don't wish to sound ungrateful, but is anyone actually reading the question (other than moses)? I've read the manual, and I know how passwd_chroot_enable works, and it doesn't quite match my requirements as written. I've thought of a bit of a kludgy fix (see above) but I have no idea how dangerous it is to the rest of my system.
|
|
|
12-12-2002, 07:47 AM
|
#8
|
Member
Registered: Apr 2001
Location: MA
Distribution: redhat 7.2
Posts: 182
Rep:
|
Your trying to do something with a normal user id it isn't designed for. Why would you want to keep users out of there home directory when they own it? Can't be security.
Any of your users could use telnet or ssh (if running) to get into the box. Anyone listening could do the same, I now I've been hacked.
You should have separate, no-shell accounts for ftp. Sorry if that doesn't answer your question but its the best advice I can give you.
|
|
|
12-12-2002, 10:48 AM
|
#9
|
Moderator
Registered: May 2001
Posts: 29,415
|
AFAIK, if you have a user who has a home def in passwd as $HOME/./somedir, the user will be chrooted to $HOME/somedir.
I tested this setup an it works, dunno if you even tried it.
Look for twoprocess.c: calculate_chdir_dir (loc_result = str_locate_text(&homedir_str, "/./"), also mentioned in Changelog: "Support wu-ftpd style per-user chroot() via /./ in /etc/passwd HOMEDIR".
|
|
|
12-15-2002, 04:39 PM
|
#10
|
LQ Newbie
Registered: Dec 2002
Posts: 7
Original Poster
Rep:
|
Very valid points about bending the use for the system. I'm doing it because I need to run with valid mail accounts as well as an ftp repository. The users can't do anything else because they're explicitly locked out of ssh and so on.
In the end I just decide to bite the bullet and mangled the passwd file with:
/home/user/ftp/./../
Which seems to work just fine. So far. Heck, I have backups!
Thanks for the responses.
Matt.
|
|
|
All times are GMT -5. The time now is 01:09 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|