Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!simtel!news.kei.com!wang!uunet!in2.uu.net!salliemae!newsfeed.internetmci.com!in1.uu.net!news.cais.net!news.sci.dixie.edu!usenet From: "Aaron D. Gifford" <agifford@infowest.com> Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: chroot() question--please help Date: Fri, 17 Nov 1995 20:48:56 -0700 Organization: InfoWest Lines: 84 Message-ID: <30AD57A8.20F9@infowest.com> References: <48en1l$8k3@interport.net> Reply-To: agifford@infowest.com NNTP-Posting-Host: uv.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 2.0b2 (Macintosh; I; PPC) CC: David Tay <davidtay@interport.net> I have a few ftp-only users on another system running wuftpd. This is the setup I've used. Someone let me know if I am missing something obvious. * I added a "fake" entry to /etc/sheels called "/bin/null" because wuftpd appears to refuse to let users in who don't have shells listed in /etc/shells. * I created a group called "ftponly" in /etc/group (I'll say GID 202 for this example) * Here's what the /etc/passwd entry looks like: EXAMPLE: joe:cYrPtEdPaSsWd:2053:202::0:0:Joe Chrooted:/home/ftponly/joe/./:/bin/null (Actually, its what "vipw" or /etc/master.passwd might show, since there are no crypted passwords in my /etc/passwd.) * I created an FTP-only home directory for the user (Say /home/ftponly/joe for this example), owned by the FTP-only user and of the "ftponly" group. EXAMPLE: # ls -l /home/ftponly total 1 drwxr-xr-x 5 joe ftponly 512 Nov 17 20:03 joe * I created two subdirectories in /home/ftponly/joe, "bin" and "etc" I kept bin and etc owned by root/wheel and mode 0555. EXAMPLE: # ls -l /home/ftponly/joe total 2 dr-xr-xr-x 2 root wheel 512 Nov 17 20:05 bin dr-xr-xr-x 2 root wheel 512 Nov 17 20:05 etc * I copied a staticly linked version of "ls" into /home/ftponly/joe/bin, owned by root/wheel, mode 0555. I also created a /home/ftponly/joe/etc/group file owned by root/wheel, mode 0444, that contained /etc/group entries for only those groups that joe might encounter in his chrooted environment. In this case, only the "wheel" and "ftponly" groups were present. This is what /home/ftponly/joe/etc/group might look like: EXAMPLE: wheel:*:0: ftponly:*:202: * I then created a temporary file, /home/ftponly/joe/etc/passwd.tmp, and in that file I put only two lines: EXAMPLE: root:*:0:0::0:0:System Administrator:: joe:*:2053:202::0:0:Joe Chrooted:: * Next, I CAREFULLY used the "pwd_mkdb" to create a pwd.db file in /home/ftponly/joe/etc: EXAMPLE: # pwd_mkdb -d /home/ftponly/joe/etc /home/ftponly/joe/etc/passwd.tmp # rm /home/ftponly/joe/etc/master.passwd /home/ftponly/joe/etc/spwd.db # chmod 0444 /home/ftponly/joe/etc/pwd.db # ls -l /home/ftponly/joe/etc total 2 -r--r--r-- 1 root wheel 74 Nov 17 20:06 group -r--r--r-- 1 root wheel 40960 Nov 17 20:10 pwd.db The pwd_mkdb command renamed the passwd.tmp to master.passwd, and since there was no reason for a master.passwd or spwd.db files in the chrooted etc directory, that's why I removed them. On the FreeBSD machine I used, the above pwd_mkdb worked, but on an older BSD/OS 1.1 machine, I had to "cd" to the directory, then run pwd_mkdb with the -d option but without the following directory paramater since the BSDI 1.1 pwd_mkdb assumed the current working directory with the -d option. WARNING: pwd_mkdb option CAN BE DANGEROUS when running as root if you aren't careful about including the -d option since it could trash your system's /etc/master.passwd, /etc/pwd.db, and /etc/spwd.db files. * I then edited wu-ftpd's config ftpaccess file, /etc/ftpaccess on the machine I used. I added these four lines: EXAMPLE: # Joe Chrooted's FTP site: upload /home/ftponly/joe * yes joe ftponly 644 dirs upload /home/ftponly/joe /bin no upload /home/ftponly/joe /etc no * I then added a "guestgroup" line: guestgroup ftponly If a guestgroup line had already existed, I would only have needed to add the "ftponly" group to the space-separated list of group names that wuftpd treats as guests. I think that's all I did. Perhaps it may help you. Did I miss anything? Did I do anything obviously stupid? --=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=-- Aaron D. Gifford InfoWest, 1845 W. Sunset Blvd, St. George, UT 84770 InfoWest Networking Phone: (801) 674-0165 FAX: (801) 673-9734 <agifford@infowest.com> Visit InfoWest at: "http://www.infowest.com/" ICBM: 37.07847 N, 113.57858 W "Southern Utah's Finest Network Connection" --=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--