[SunHELP] limit user to home directory in ftp
DAUBIGNE Sebastien - BOR
sunhelp at sunhelp.org
Tue Oct 30 04:48:38 CST 2001
I've done this with SUN ftpd, but it looks ugly (better use ProFTP if you
are allowed to), but it works fine for me. The solution is to use chroot to
launch another ftpd daemon in the home directory, binded on a free TCP port
(e.g. 22). This this a bit similar to anonymous ftp, except that it requires
a valid password, and is chrooted before ftpd is launched, so you have to
put each file needed by ftpd (libs, conf files) to run in the chrooted tree
(the "truss" tool was useful to get this).
Here is my configuration. The user is "pap" and the chrooted tree is
/site/Mep/Livraison/pap.
First, add something like this to /etc/inetd.conf :
pap-ftp stream tcp nowait root /usr/sbin/chroot chroot
/site/Mep/Livraison/pap /usr/bin/in.ftpd -l -d
You have also to put the pap-ftp service entry in /etc/services :
pap-ftp 22/tcp
Now, inetd is able to launch a chrooted in.ftpd process at every TCP
connexion on port 22.
Well, in.ftpd is not able to run for now, we have to construct the chrooted
tree. Let's see what's in /site/Mep/Livraison/pap :
lrwxrwxrwx 1 root bin 7 Jul 4 10:16 bin -> usr/bin/
drwxrwxr-x 2 root sys 96 Jun 11 17:29 dev/
drwxr-xr-x 3 root other 8192 Feb 6 2001 etc/
drwxrwxrwx 2 pap prod 96 Oct 12 13:58 fic_pap/
drwxrwxr-x 4 root sys 96 Feb 6 2001 usr/
The "fic_pap" will be the home directory for the "pap" user account in the
chrooted tree.
The "usr" tree must contain the "ls" command (for proper ls commands during
ftp sessions), and the "bin" directory must contain "in.ftpd", including
usual libs in "lib" directory (everything under "usr" was duplicated from
the "/usr" tree):
usr
usr/lib
usr/lib/security
usr/lib/security/pam_unix.so.1
usr/lib/ld.so.1
usr/lib/libc.so.1
usr/lib/libdl.so.1
usr/lib/libmp.so.2
usr/lib/libnsl.so.1
usr/lib/libsocket.so.1
usr/lib/nss_compat.so.1
usr/lib/nss_dns.so.1
usr/lib/nss_files.so.1
usr/lib/nss_nis.so.1
usr/lib/nss_nisplus.so.1
usr/lib/straddr.so
usr/lib/straddr.so.2
usr/lib/libbsm.so.1
usr/lib/libpam.so.1
usr/bin
usr/bin/ls
usr/bin/in.ftpd
The "dev" tree must contain every required special files (similar to /dev
tree). Be careful not to use "cp" from /dev tree to construct this tree, as
it won't work. Better use "mknod" to add these files (use output from "ls
-lL /dev/...." to get the minor/major numbers) :
drwxrwxr-x 2 root sys 96 Jun 11 17:29 dev
crw-rw-rw- 1 root other 13, 2 Jun 11 17:29 dev/null
crw-rw-rw- 1 root other 11, 42 Feb 6 2001 dev/tcp
crw-rw-rw- 1 root other 105, 1 Feb 6 2001 dev/ticotsord
crw-rw-rw- 1 root other 11, 41 Feb 6 2001 dev/udp
crw-rw-rw- 1 root sys 13, 12 Feb 6 2001 dev/zero
The "etc" tree must contain some configuration files needed by ftpd :
drwxr-xr-x 3 root other 8192 Feb 6 2001 etc
drwxrwxr-x 2 root sys 96 Feb 6 2001 etc/default
-rw-r--r-- 1 root other 10 Feb 6 2001 etc/default/ftpd
-rw-r--r-- 1 root other 11 Feb 6 2001 etc/group
-r--r--r-- 1 root sys 1137 Apr 2 1998 etc/netconfig
-rw-r--r-- 1 root sys 255 Feb 6 2001 etc/pam.conf
-r--r--r-- 1 root other 51 Feb 6 2001 etc/passwd
-r-------- 1 root other 24 Jun 6 12:53 etc/shadow
The "pam.conf" and "netconfig" files are copies from /etc.
The "passwd" file contains the user account "pap" entry (only this one, the
others are not required if you want "pap" to be the only user to be granted
access to this service). Note that the home directory "/fic_pap" will
finally point to /site/Mep/Livraison/pap/fic_pap as ftpd is chrooted :
pap:x:3001:501:BCA ftp user :/fic_pap:/usr/bin/ksh
The "group" file contains the user account's group (only this one for the
same purpose as "passwd" file) :
prod::501:
The "shadow" file contains the user account's password duplicated from
/etc/shadow (only this one, too).
pap:MrghnIhsqmgaM:11352
Now you have a running chrooted ftpd, you just have to "kill -HUP" inetd to
test it. Make sure to use port 22 in the ftp client software :
ftp localhost 22
...
You should also disable access to the "standard" ftp and telnet services for
"pap", by using the "NP" string in /etc/shadow :
pap:NP:11479::::::
Now pap is only allowed to login exclusively using FTP on port 22 in a
chrooted tree.
The drawback is that you have to put an exclusive chrooted FTP service for
each user you want to configure, using an exclusive free TCP port.
I guess ProFTPd should make this task painless.
---
Sebastien DAUBIGNE
sebastien.daubigne at sema.fr <mailto:sebastien.daubigne at sema.fr> - (+33)
(0)5.57.26.56.36
Sema Global Services - AFM/DW/Pessac
-----Message d'origine-----
De: Edward Chase [SMTP:echase at postoffice.providence.edu]
Date: lundi 29 octobre 2001 20:31
: sunhelp at sunhelp.org
Objet: [SunHELP] limit user to home directory in ftp
I'm looking to add a user to a Solaris 7 box that has only the
ability to
ftp into the box and be locked into their home directory.
The entry in /etc/passwd is as follows:
test:x:1014:1:Test acct:/./export/home/test:/bin/false
This does keep the user from telnetting in, however I can't ftp in
with the
user.
In Linux, I would need to make sure that /bin/false was in
/etc/shells. I'm also not sure if the home directory entry would do
what I
want in Solaris.
Scratch the shell question... Man ftpd helped here.
I guess all that's left is how do I lock someone into their
directory? (Using the standard ftpd)
---------------------------------------------------------------
Edward F. Chase III | echase at providence.edu
Providence College | http://www.providence.edu
Computer Services | http://studentweb.providence.edu
Providence, RI 02918 |
_______________________________________________
SunHELP maillist - SunHELP at sunhelp.org
http://www.sunhelp.org/mailman/listinfo/sunhelp
More information about the SunHELP
mailing list