[SunHELP] Setting up an FTP user best practice

DAUBIGNE Sebastien - BOR ( <SDaubigne at bordeaux-bersol.sema.slb.com> <SDaubigne at bordeaux-bersol.sema.slb.com> DAUBIGNE Sebastien - BOR ( <SDaubigne at bordeaux-bersol.sema.slb.com> <SDaubigne at bordeaux-bersol.sema.slb.com>
Tue Sep 16 10:30:02 CDT 2003 

Actually it is possible to set up a chrooted ftp account with
login/password. Le user has only access to ftp, is authenticated but can't
go outside its home directory (it's like anonymous FTP, but with a proper
user/password).
It'a bit tricky, but here it is :

The solution is to launch another FTP server (in.ftpd) on a dedicated TCP
port (e.g. 22), in a chrooted tree.
Thus, the user logged in with this FTP server will not be able to get out of
the chrooted tree.
This is almost similar to Anonymous FTP, except that the chroot is done
before in.ftpd is launched (anonymous ftp does it inside the in.ftpd code),
so we'll have to put some additional library files which will be loaded at
in.ftpd startup.

This could look ugly, but it works.

Here is the method :

Let's say we'll create a users "pap" who can only log in with a dedicated
FTP in the chrooted "/pap-home" tree.

First, we create a new service (chrooted in.ftpd on port 22) :

/etc/services :
pap-ftp         22/tcp

/etc/inetd.conf :
pap-ftp stream  tcp     nowait  root    /usr/sbin/chroot        chroot
/pap-home /usr/bin/in.ftpd        -l -d

Then we create the user "pap" in the "global" tree and make sure it can't
connect with telnet/rlogin/standard FTP (locked password and /bin/false
Shell):
  
/etc/passwd :
pap:x:3001:501:Chrooted ftp user:/pap-home:/bin/false

/etc/group 
papg::501:

/etc/shadow:
pap:NP:11479::::::

Note that creating the user in the "global" tree is optional, this is just
to make sure that the files uploaded in the chrooted tree will get a user ID
also known in the global tree. (You can also map the user ID in the chrooted
tree with the one of another user in the global tree).

Now we will create the chrooted tree. 
We have to put every file necessary to launch in.ftpd. There are binaries
(in.ftpd), dirs, libraries, character devices nodes, and some system
configuration files.
This list is for Solaris 2.6 in.ftpd. Maybe the Solaris 8 in.ftpd requires
more or less files. 
The method I used to build the list is first initialise the list with `ldd
/usr/bin/in.ftpd`. Then, if the chrooted FTP startup/login fail, make a
"truss -aeflp" on the inetd.conf process just before connecting, and detect
the missing files (failed open() or access() syscalls). 
I first suggest using the following 2.6 list, that you have to copy from the
global tree using tar or similar copy tool, at least for the devices nodes
(doing a "cp" on a device node is a bad idea).

/pap-home/etc
/pap-home/etc/default
/pap-home/etc/default/ftpd
/pap-home/etc/netconfig
/pap-home/etc/passwd
/pap-home/etc/shadow
/pap-home/etc/group
/pap-home/etc/pam.conf
/pap-home/usr
/pap-home/usr/lib
/pap-home/usr/lib/security
/pap-home/usr/lib/security/pam_unix.so.1
/pap-home/usr/lib/ld.so.1
/pap-home/usr/lib/libc.so.1
/pap-home/usr/lib/libdl.so.1
/pap-home/usr/lib/libmp.so.2
/pap-home/usr/lib/libnsl.so.1
/pap-home/usr/lib/libsocket.so.1
/pap-home/usr/lib/nss_compat.so.1

/pap-home/usr/lib/nss_dns.so.1
/pap-home/usr/lib/nss_files.so.1
/pap-home/usr/lib/nss_nis.so.1
/pap-home/usr/lib/nss_nisplus.so.1
/pap-home/usr/lib/straddr.so
/pap-home/usr/lib/straddr.so.2
/pap-home/usr/lib/libbsm.so.1
/pap-home/usr/lib/libpam.so.1
/pap-home/usr/bin
/pap-home/usr/bin/ls
/pap-home/usr/bin/in.ftpd
/pap-home/fic_pap
/pap-home/dev
/pap-home/dev/zero
/pap-home/dev/tcp
/pap-home/dev/udp
/pap-home/dev/ticotsord
/pap-home/dev/null
/pap-home/bin    (link to usr/bin)

Now we have to customise the chrooted configuration files.

First, remove all lines in /pap-home/etc/pam.conf and add this (this is not
necessary as the only access is ftp, but it looks cleaner):
ftp     auth    required        /usr/lib/security/pam_unix.so.1
ftp     account required        /usr/lib/security/pam_unix.so.1
ftp     session required        /usr/lib/security/pam_unix.so.1

Leave this line alone in /pap-home/etc/passwd :
pap:x:3001:501:Chrooted ftp user:/pap-home:/usr/bin/ksh

Leave this line alone in /pap-home/etc/group 
papg::501:

Leave this line alone in /pap-home/etc/shadow :
pap:MrghnIhsqmgaM:11352::::::

The encrypted password could be generated in the global tree, then copied
back in the chrooted one.

Finally, we have to put proper permission flags on pap-home (or a
subdirectory) to make the FTP user read and/or write files.

Now everything is in place, make inetd re-read the configuration file (kill
-HUP inetd), and test the FTP login on port 22 :

# ftp localhost 22
Connected to localhost.
220 iris FTP server (SunOS 5.6) ready.
Name (localhost:pap): pap
331 Password required for pap.
Password:
230 User pap logged in.
ftp> pwd
257 "/" is current directory.
ftp> dir
200 PORT command successful.
150 ASCII data connection for /bin/ls (127.0.0.1,34201) (0 bytes).
total 32
drwxr-xr-x   6 0        1             96 Feb  6  2001 .
drwxr-xr-x   6 0        1             96 Feb  6  2001 ..
lrwxrwxrwx   1 0        2              7 Jul  4  2001 bin -> usr/bin
drwxrwxr-x   2 0        3             96 Jun 11  2001 dev
drwxr-xr-x   3 0        1           8192 Feb  6  2001 etc
drwxrwxrwx   2 pap      prod        8192 Apr 15 17:45 fic_pap
drwxrwxr-x   4 0        3             96 Feb  6  2001 usr


Now you can create other user in the same tree, or under another dedicated
tree (in such case you have to start the chrooted in.ftpd server on another
dedicated TCP port).



---
Sebastien DAUBIGNE 
sdaubigne at bordeaux-bersol.sema.slb.com
<mailto:sdaubigne at bordeaux-bersol.sema.slb.com>  - (+33)5.57.26.56.36
SchlumbergerSema - SGS/DWH/Pessac

	-----Message d'origine-----
	De:	Simoncini, Matthew [SMTP:Matthew.Simoncini at bsci.com]
	Date:	mardi 16 septembre 2003 16:43
	@:	'sunhelp at sunhelp.org'
	Objet:	[SunHELP] Setting up an FTP user best practice

	Hello gurus,

	I've received a request to setup a local FTP account on one of our
	Production Solaris servers (currently 2.6 soon to be 2.8). My
initial
	thought was to setup anonymous ftp and chroot. I discussed this with
my boss
	and he doesn't like the thought of using anonymous FTP (some
definite FUD
	there), so I'm left with setting up a regular or guest user to
accomplish
	this task. Does anyone have decent instructions or scripts that will
help me
	accomplish this task in Solaris 2.6 or Solaris 8? If we were running
Solaris
	9, ftpconfig would be a huge help, but I don't believe this is
available in
	earlier releases of Solaris.

	Any help would be appreciated.

	Thanks.

	Matthew
	_______________________________________________
	SunHELP maillist  -  SunHELP at sunhelp.org
	http://www.sunhelp.org/mailman/listinfo/sunhelp

More information about the SunHELP mailing list