LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-03-2002, 02:15 PM   #1
DATA_OK
LQ Newbie
 
Registered: Sep 2001
Location: Stuttgart, Germany
Distribution: Debian (2.6 Kernel)
Posts: 25

Rep: Reputation: 15
vsFTP (and chroot)


Hi,

i have SuSE Linux 8.0 and in there is the new vsftp in the distribution.

So after installing the vsftp server i tested the server.

And so logged in on my server and the ftp user is not fixed only in his directore (e.g. /home/f6h9 ) as he can go everywhere on my server !!!!

How can i keep him in his direktory? I searched the hole day in the internet but found nothing that helped me. I have read much about chroot but donīt know how it works (specially with suse 8.0)

Thanks for your help.

Last edited by DATA_OK; 05-03-2002 at 02:18 PM.
 
Old 05-04-2002, 05:31 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Ideally a "good" chroot or "change root" command should be 3 commands that change the way an application may see the system. First "chdir <dirToChrootTo>", then "chroot <dirToChrootTo>" and finally some setuid call from within the app to drop root privileges. After this the chrooted application will see <dirToChrootTo> as the system root, and with some care this app and it's users will not be able to change root back to the real root.

Since the new root is <dirToChrootTo>, the app will look there as the starting point for what it needs in devices (say /dev/null, dev/log), files like /var/log/app.log or libs like /lib/ld-linux.so.2. It means you gotta copy em to <dirToChrootTo>. For this setting up a chroot, the user, app and dependancies I use "jailchroot". Then I tweak stuff manually. (if you don't want to use apps for setting up chroot jails, you'll have to get comfortable with truss, lsof and ldd, so...)

Things I check are if <dirToChrootTo>/etc/passwd contains only necessary passes, if the chrooted app runs as a non-root user, if there are no SUID apps within the chroot, if the app really need to mount <dirToChrootTo>/proc, and if it really needs <dirToChrootTo>/dev devices, and if the user really needs a shell. These checks shouldn't be automated. Now run your chrooted app and see if it works, then you can change the init scripts so it'll load automatically when necessary.

*Other things on the system level to minimize the chance of an app breaking out of a chroot jail are using kernel patches that among other things strenghten the kernel's way of operating chroot jails and the way users may see system processes like the GRSecurity or Solar Designer's OpenWall kernel patch, and using LINUX_CAPABILITIES (lcap, capsel) to deny for instance loading of modules.

HTH somehow.
 
Old 05-04-2002, 01:20 PM   #3
DATA_OK
LQ Newbie
 
Registered: Sep 2001
Location: Stuttgart, Germany
Distribution: Debian (2.6 Kernel)
Posts: 25

Original Poster
Rep: Reputation: 15
unSqawn:

Thanks for your answer. I have look at the URL you have postet. But, if I hab understood this programm right, i must install not only the programm but reinstall the ftp programm in the "JMC", right? And then create some chrood folders and so on.

Is there no easier way to make my vsFTP save? Without reinstall my ftp and so on?

Thanks
 
Old 05-05-2002, 09:47 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Aw, no, that's ok. It was more a reply to your "I have read much about chroot but donīt know how it works" question.

Now for chrooting vsftpd, what are your chroot settings in your conf file?
 
Old 05-24-2002, 04:16 AM   #5
DATA_OK
LQ Newbie
 
Registered: Sep 2001
Location: Stuttgart, Germany
Distribution: Debian (2.6 Kernel)
Posts: 25

Original Poster
Rep: Reputation: 15
Hi,

so in the meantime the chroot environement (seem) to run.

But know i have a little problem:

my new ftp server vsftpd means every time i want to log in:

530 This FTP server is anonymous only.
ftp: Login failed

i have searched in the vsftpd.conf but havent found any to change.

DATA
 
Old 05-24-2002, 04:20 AM   #6
DATA_OK
LQ Newbie
 
Registered: Sep 2001
Location: Stuttgart, Germany
Distribution: Debian (2.6 Kernel)
Posts: 25

Original Poster
Rep: Reputation: 15
@unspawn:

i have down all like in the discription. now i have one question:

when i type su - f6h9 (my chrooted user) i get in the chrooted folder, but i can get out??? Is this normal or works chroot only with for example ftp demons???

When i create a chrooted dir, put the software in it and the user no faild warning comes.

DATA
 
Old 05-24-2002, 06:19 AM   #7
DATA_OK
LQ Newbie
 
Registered: Sep 2001
Location: Stuttgart, Germany
Distribution: Debian (2.6 Kernel)
Posts: 25

Original Poster
Rep: Reputation: 15
News:

my vsftp seems to be running. I can loogin with the user ftp and password ftp. The User is in the direktory /usr/local/ftp (and canīt get out, is chrooted to this directory, i think) But i havenīt created this user, i think it is a standart user.

But why canīt i log in with the user i created???? I get all the time this stupid message, 530 This FTP server is anonymous only.
ftp: Login failed )

DATA
 
Old 05-24-2002, 01:39 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I think you should check your vsftpd config for option "anonymous_enable=NO". If your ftp user you want to log in as is a local user, you should enable "local_enable=YES".
Btw, hope you noticed vsftpd does it's own chrooting of users?
 
Old 03-13-2003, 04:31 AM   #9
tico
LQ Newbie
 
Registered: Nov 2002
Location: Slovenia
Distribution: Red Hat
Posts: 8

Rep: Reputation: 0
try this link it helped me.
 
Old 06-24-2003, 02:25 PM   #10
jasp2
LQ Newbie
 
Registered: Jun 2003
Posts: 2

Rep: Reputation: 0
vsftpd and xinetd

For those who had the same trouble as me... a little note. If you are using vsftpd through xinetd, and you still want to be able to tweak performace with the .conf file, make sure you have this line in the /etc/xinetd.d/vsftpd file:

server_args = /etc/vsftpd.conf (or /etc/vsftpd/vsftpd.conf on RH9)

without this, tweaking the conf file does nothing... it just uses the default compiled settings. Hence, turning on "local_enable" was still giving me "530 This FTP server is anonymous only." until I fixed this.

Cheers... and thanks for the rest of the info.
 
Old 10-30-2003, 10:10 AM   #11
andguent
Member
 
Registered: Sep 2003
Distribution: Woody, SuSE, RH, LAS
Posts: 55

Rep: Reputation: 15
Thanks to
http://www.linuxquestions.org/questi...002/12/3/37978

I found that you should add:
chroot_local_user=YES
to
/etc/vsftpd.conf (or /etc/vsftpd/vsftpd.conf)

That should lock users into their home directories as listed in /etc/passwd
EX:
ftpUserIDontTrust:x:501:501:ftpUserIDontTrust:/var/ftp:/bin/bash

I am no guru. I have this sinking feeling that /bin/bash is an unsecure way to access a shell.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
sudo /usr/bin/chroot /home/chroot /bin/su - xxx| /bin/su: user xxx does not exist saavik Linux - General 3 07-04-2007 10:30 AM
vsftp and chroot question blubbfish Linux - Security 2 10-04-2004 10:03 AM
vsFTP toejam Linux - Security 6 05-15-2004 09:38 AM
chroot not working for vsftp anymore noisybastard Linux - Newbie 5 11-26-2003 10:31 PM
vsFTP mathewm Linux - Software 1 12-01-2002 08:59 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration