LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   vsFTP (and chroot) (https://www.linuxquestions.org/questions/linux-security-4/vsftp-and-chroot-20130/)

DATA_OK 05-03-2002 02:15 PM
vsFTP (and chroot)
 
Hi,

i have SuSE Linux 8.0 and in there is the new vsftp in the distribution.

So after installing the vsftp server i tested the server.

And so logged in on my server and the ftp user is not fixed only in his directore (e.g. /home/f6h9 ) as he can go everywhere on my server !!!!

How can i keep him in his direktory? I searched the hole day in the internet but found nothing that helped me. I have read much about chroot but donīt know how it works (specially with suse 8.0)

Thanks for your help.

unSpawn 05-04-2002 05:31 AM
Ideally a "good" chroot or "change root" command should be 3 commands that change the way an application may see the system. First "chdir <dirToChrootTo>", then "chroot <dirToChrootTo>" and finally some setuid call from within the app to drop root privileges. After this the chrooted application will see <dirToChrootTo> as the system root, and with some care this app and it's users will not be able to change root back to the real root.

Since the new root is <dirToChrootTo>, the app will look there as the starting point for what it needs in devices (say /dev/null, dev/log), files like /var/log/app.log or libs like /lib/ld-linux.so.2. It means you gotta copy em to <dirToChrootTo>. For this setting up a chroot, the user, app and dependancies I use "jailchroot". Then I tweak stuff manually. (if you don't want to use apps for setting up chroot jails, you'll have to get comfortable with truss, lsof and ldd, so...)

Things I check are if <dirToChrootTo>/etc/passwd contains only necessary passes, if the chrooted app runs as a non-root user, if there are no SUID apps within the chroot, if the app really need to mount <dirToChrootTo>/proc, and if it really needs <dirToChrootTo>/dev devices, and if the user really needs a shell. These checks shouldn't be automated. Now run your chrooted app and see if it works, then you can change the init scripts so it'll load automatically when necessary.

*Other things on the system level to minimize the chance of an app breaking out of a chroot jail are using kernel patches that among other things strenghten the kernel's way of operating chroot jails and the way users may see system processes like the GRSecurity or Solar Designer's OpenWall kernel patch, and using LINUX_CAPABILITIES (lcap, capsel) to deny for instance loading of modules.

HTH somehow.

DATA_OK 05-04-2002 01:20 PM
unSqawn:

Thanks for your answer. I have look at the URL you have postet. But, if I hab understood this programm right, i must install not only the programm but reinstall the ftp programm in the "JMC", right? And then create some chrood folders and so on.

Is there no easier way to make my vsFTP save? Without reinstall my ftp and so on?

Thanks

unSpawn 05-05-2002 09:47 AM
Aw, no, that's ok. It was more a reply to your "I have read much about chroot but donīt know how it works" question.

Now for chrooting vsftpd, what are your chroot settings in your conf file?

DATA_OK 05-24-2002 04:16 AM
Hi,

so in the meantime the chroot environement (seem) to run.

But know i have a little problem:

my new ftp server vsftpd means every time i want to log in:

530 This FTP server is anonymous only.
ftp: Login failed

i have searched in the vsftpd.conf but havent found any to change.

DATA

DATA_OK 05-24-2002 04:20 AM
@unspawn:

i have down all like in the discription. now i have one question:

when i type su - f6h9 (my chrooted user) i get in the chrooted folder, but i can get out??? Is this normal or works chroot only with for example ftp demons???

When i create a chrooted dir, put the software in it and the user no faild warning comes.

DATA

DATA_OK 05-24-2002 06:19 AM
News:

my vsftp seems to be running. I can loogin with the user ftp and password ftp. The User is in the direktory /usr/local/ftp (and canīt get out, is chrooted to this directory, i think) But i havenīt created this user, i think it is a standart user.

But why canīt i log in with the user i created???? I get all the time this stupid message, 530 This FTP server is anonymous only.
ftp: Login failed )

DATA

unSpawn 05-24-2002 01:39 PM
I think you should check your vsftpd config for option "anonymous_enable=NO". If your ftp user you want to log in as is a local user, you should enable "local_enable=YES".
Btw, hope you noticed vsftpd does it's own chrooting of users?

tico 03-13-2003 04:31 AM
try this link it helped me.

jasp2 06-24-2003 02:25 PM
vsftpd and xinetd
 
For those who had the same trouble as me... a little note. If you are using vsftpd through xinetd, and you still want to be able to tweak performace with the .conf file, make sure you have this line in the /etc/xinetd.d/vsftpd file:

server_args = /etc/vsftpd.conf (or /etc/vsftpd/vsftpd.conf on RH9)

without this, tweaking the conf file does nothing... it just uses the default compiled settings. Hence, turning on "local_enable" was still giving me "530 This FTP server is anonymous only." until I fixed this.

Cheers... and thanks for the rest of the info.

andguent 10-30-2003 10:10 AM
Thanks to
http://www.linuxquestions.org/questi...002/12/3/37978

I found that you should add:
chroot_local_user=YES
to
/etc/vsftpd.conf (or /etc/vsftpd/vsftpd.conf)

That should lock users into their home directories as listed in /etc/passwd
EX:
ftpUserIDontTrust:x:501:501:ftpUserIDontTrust:/var/ftp:/bin/bash

I am no guru. I have this sinking feeling that /bin/bash is an unsecure way to access a shell.


All times are GMT -5. The time now is 09:15 AM.