Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i have SuSE Linux 8.0 and in there is the new vsftp in the distribution.
So after installing the vsftp server i tested the server.
And so logged in on my server and the ftp user is not fixed only in his directore (e.g. /home/f6h9 ) as he can go everywhere on my server !!!!
How can i keep him in his direktory? I searched the hole day in the internet but found nothing that helped me. I have read much about chroot but donīt know how it works (specially with suse 8.0)
Ideally a "good" chroot or "change root" command should be 3 commands that change the way an application may see the system. First "chdir <dirToChrootTo>", then "chroot <dirToChrootTo>" and finally some setuid call from within the app to drop root privileges. After this the chrooted application will see <dirToChrootTo> as the system root, and with some care this app and it's users will not be able to change root back to the real root.
Since the new root is <dirToChrootTo>, the app will look there as the starting point for what it needs in devices (say /dev/null, dev/log), files like /var/log/app.log or libs like /lib/ld-linux.so.2. It means you gotta copy em to <dirToChrootTo>. For this setting up a chroot, the user, app and dependancies I use "jailchroot". Then I tweak stuff manually. (if you don't want to use apps for setting up chroot jails, you'll have to get comfortable with truss, lsof and ldd, so...)
Things I check are if <dirToChrootTo>/etc/passwd contains only necessary passes, if the chrooted app runs as a non-root user, if there are no SUID apps within the chroot, if the app really need to mount <dirToChrootTo>/proc, and if it really needs <dirToChrootTo>/dev devices, and if the user really needs a shell. These checks shouldn't be automated. Now run your chrooted app and see if it works, then you can change the init scripts so it'll load automatically when necessary.
*Other things on the system level to minimize the chance of an app breaking out of a chroot jail are using kernel patches that among other things strenghten the kernel's way of operating chroot jails and the way users may see system processes like the GRSecurity or Solar Designer's OpenWall kernel patch, and using LINUX_CAPABILITIES (lcap, capsel) to deny for instance loading of modules.
Thanks for your answer. I have look at the URL you have postet. But, if I hab understood this programm right, i must install not only the programm but reinstall the ftp programm in the "JMC", right? And then create some chrood folders and so on.
Is there no easier way to make my vsFTP save? Without reinstall my ftp and so on?
i have down all like in the discription. now i have one question:
when i type su - f6h9 (my chrooted user) i get in the chrooted folder, but i can get out??? Is this normal or works chroot only with for example ftp demons???
When i create a chrooted dir, put the software in it and the user no faild warning comes.
my vsftp seems to be running. I can loogin with the user ftp and password ftp. The User is in the direktory /usr/local/ftp (and canīt get out, is chrooted to this directory, i think) But i havenīt created this user, i think it is a standart user.
But why canīt i log in with the user i created???? I get all the time this stupid message, 530 This FTP server is anonymous only.
ftp: Login failed )
I think you should check your vsftpd config for option "anonymous_enable=NO". If your ftp user you want to log in as is a local user, you should enable "local_enable=YES".
Btw, hope you noticed vsftpd does it's own chrooting of users?
For those who had the same trouble as me... a little note. If you are using vsftpd through xinetd, and you still want to be able to tweak performace with the .conf file, make sure you have this line in the /etc/xinetd.d/vsftpd file:
server_args = /etc/vsftpd.conf (or /etc/vsftpd/vsftpd.conf on RH9)
without this, tweaking the conf file does nothing... it just uses the default compiled settings. Hence, turning on "local_enable" was still giving me "530 This FTP server is anonymous only." until I fixed this.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.