*BSD News Article 55331


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!simtel!news.kei.com!wang!uunet!in2.uu.net!salliemae!newsfeed.internetmci.com!in1.uu.net!news.cais.net!news.sci.dixie.edu!usenet
From: "Aaron D. Gifford" <agifford@infowest.com>
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: chroot() question--please help
Date: Fri, 17 Nov 1995 20:48:56 -0700
Organization: InfoWest
Lines: 84
Message-ID: <30AD57A8.20F9@infowest.com>
References: <48en1l$8k3@interport.net>
Reply-To: agifford@infowest.com
NNTP-Posting-Host: uv.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 2.0b2 (Macintosh; I; PPC)
CC: David Tay <davidtay@interport.net>

I have a few ftp-only users on another system running wuftpd.  This is the setup 
I've used.  Someone let me know if I am missing something obvious.

 * I added a "fake" entry to /etc/sheels called "/bin/null" because wuftpd
   appears to refuse to let users in who don't have shells listed in
   /etc/shells.
 * I created a group called "ftponly" in /etc/group (I'll say GID 202 for this
   example)
 * Here's what the /etc/passwd entry looks like:
   EXAMPLE:
     joe:cYrPtEdPaSsWd:2053:202::0:0:Joe Chrooted:/home/ftponly/joe/./:/bin/null
   (Actually, its what "vipw" or /etc/master.passwd might show, since there
   are no crypted passwords in my /etc/passwd.)
 * I created an FTP-only home directory for the user (Say /home/ftponly/joe
   for this example), owned by the FTP-only user and of the "ftponly" group.
   EXAMPLE:
     # ls -l /home/ftponly
     total 1
     drwxr-xr-x   5 joe      ftponly  512 Nov 17 20:03 joe
 * I created two subdirectories in /home/ftponly/joe, "bin" and "etc"  I kept
   bin and etc owned by root/wheel and mode 0555.
   EXAMPLE:
     # ls -l /home/ftponly/joe
     total 2
     dr-xr-xr-x  2 root     wheel  512 Nov 17 20:05 bin
     dr-xr-xr-x  2 root     wheel  512 Nov 17 20:05 etc
 * I copied a staticly linked version of "ls" into /home/ftponly/joe/bin, owned
   by root/wheel, mode 0555.  I also created a /home/ftponly/joe/etc/group file
   owned by root/wheel, mode 0444, that contained /etc/group entries for only
   those groups that joe might encounter in his chrooted environment.  In this
   case, only the "wheel" and "ftponly" groups were present.  This is what
   /home/ftponly/joe/etc/group might look like:
   EXAMPLE:
     wheel:*:0:
     ftponly:*:202:
 * I then created a temporary file, /home/ftponly/joe/etc/passwd.tmp, and in
   that file I put only two lines:
   EXAMPLE:
     root:*:0:0::0:0:System Administrator::
     joe:*:2053:202::0:0:Joe Chrooted::
 * Next, I CAREFULLY used the "pwd_mkdb" to create a pwd.db file in
   /home/ftponly/joe/etc:
   EXAMPLE:
     # pwd_mkdb -d /home/ftponly/joe/etc /home/ftponly/joe/etc/passwd.tmp
     # rm /home/ftponly/joe/etc/master.passwd /home/ftponly/joe/etc/spwd.db
     # chmod 0444 /home/ftponly/joe/etc/pwd.db
     # ls -l /home/ftponly/joe/etc
     total 2
     -r--r--r--  1 root  wheel     74 Nov 17 20:06 group
     -r--r--r--  1 root  wheel  40960 Nov 17 20:10 pwd.db
   The pwd_mkdb command renamed the passwd.tmp to master.passwd, and since
   there was no reason for a master.passwd or spwd.db files in the chrooted
   etc directory, that's why I removed them.
   On the FreeBSD machine I used, the above pwd_mkdb worked, but on an older
   BSD/OS 1.1 machine, I had to "cd" to the directory, then run pwd_mkdb
   with the -d option but without the following directory paramater since
   the BSDI 1.1 pwd_mkdb assumed the current working directory with the -d
   option.
   WARNING: pwd_mkdb option CAN BE DANGEROUS when running as root if you aren't
   careful about including the -d option since it could trash your system's
   /etc/master.passwd, /etc/pwd.db, and /etc/spwd.db files.
 * I then edited wu-ftpd's config ftpaccess file, /etc/ftpaccess on the machine
   I used.  I added these four lines:
   EXAMPLE:
     # Joe Chrooted's FTP site:
     upload  /home/ftponly/joe  *         yes  joe  ftponly  644  dirs  
     upload  /home/ftponly/joe  /bin  no
     upload  /home/ftponly/joe  /etc  no
 * I then added a "guestgroup" line:
     guestgroup ftponly
   If a guestgroup line had already existed, I would only have needed to add
   the "ftponly" group to the space-separated list of group names that wuftpd
   treats as guests.

I think that's all I did.  Perhaps it may help you.  Did I miss anything?
Did I do anything obviously stupid?

--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--
Aaron D. Gifford          InfoWest, 1845 W. Sunset Blvd, St. George, UT 84770
InfoWest Networking       Phone: (801) 674-0165   FAX: (801) 673-9734
<agifford@infowest.com>   Visit InfoWest at: "http://www.infowest.com/"
                        ICBM: 37.07847 N, 113.57858 W
                 "Southern Utah's Finest Network Connection"
--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--