[SunHELP] Setting up an FTP user best practice
Chis (Ian Chisholm)
chis at pet.hw.ac.uk
Thu Sep 18 07:47:42 CDT 2003
Even easier if you use (e.g.) ProFTP (http://www.proftpd.org) which has
chroot'ed FTP as one of its features.
Cheers
Ian.
> -----Original Message-----
> From: DAUBIGNE Sebastien - BOR (
> SDaubigne at bordeaux-bersol.sema.slb.com
> ) [mailto:SDaubigne at bordeaux-bersol.sema.slb.com]
> Sent: 16 September 2003 16:30
> To: The SunHELP List
> Subject: RE: [SunHELP] Setting up an FTP user best practice
>
>
> Actually it is possible to set up a chrooted ftp account with
> login/password. Le user has only access to ftp, is
> authenticated but can't
> go outside its home directory (it's like anonymous FTP, but
> with a proper
> user/password).
> It'a bit tricky, but here it is :
>
> The solution is to launch another FTP server (in.ftpd) on a
> dedicated TCP
> port (e.g. 22), in a chrooted tree.
> Thus, the user logged in with this FTP server will not be
> able to get out of
> the chrooted tree.
> This is almost similar to Anonymous FTP, except that the
> chroot is done
> before in.ftpd is launched (anonymous ftp does it inside the
> in.ftpd code),
> so we'll have to put some additional library files which will
> be loaded at
> in.ftpd startup.
>
> This could look ugly, but it works.
>
> Here is the method :
>
> Let's say we'll create a users "pap" who can only log in with
> a dedicated
> FTP in the chrooted "/pap-home" tree.
>
> First, we create a new service (chrooted in.ftpd on port 22) :
>
> /etc/services :
> pap-ftp 22/tcp
>
> /etc/inetd.conf :
> pap-ftp stream tcp nowait root /usr/sbin/chroot chroot
> /pap-home /usr/bin/in.ftpd -l -d
>
> Then we create the user "pap" in the "global" tree and make
> sure it can't
> connect with telnet/rlogin/standard FTP (locked password and
> /bin/false
> Shell):
>
> /etc/passwd :
> pap:x:3001:501:Chrooted ftp user:/pap-home:/bin/false
>
> /etc/group
> papg::501:
>
> /etc/shadow:
> pap:NP:11479::::::
>
> Note that creating the user in the "global" tree is optional,
> this is just
> to make sure that the files uploaded in the chrooted tree
> will get a user ID
> also known in the global tree. (You can also map the user ID
> in the chrooted
> tree with the one of another user in the global tree).
>
> Now we will create the chrooted tree.
> We have to put every file necessary to launch in.ftpd. There
> are binaries
> (in.ftpd), dirs, libraries, character devices nodes, and some system
> configuration files.
> This list is for Solaris 2.6 in.ftpd. Maybe the Solaris 8
> in.ftpd requires
> more or less files.
> The method I used to build the list is first initialise the
> list with `ldd
> /usr/bin/in.ftpd`. Then, if the chrooted FTP startup/login
> fail, make a
> "truss -aeflp" on the inetd.conf process just before
> connecting, and detect
> the missing files (failed open() or access() syscalls).
> I first suggest using the following 2.6 list, that you have
> to copy from the
> global tree using tar or similar copy tool, at least for the
> devices nodes
> (doing a "cp" on a device node is a bad idea).
>
> /pap-home/etc
> /pap-home/etc/default
> /pap-home/etc/default/ftpd
> /pap-home/etc/netconfig
> /pap-home/etc/passwd
> /pap-home/etc/shadow
> /pap-home/etc/group
> /pap-home/etc/pam.conf
> /pap-home/usr
> /pap-home/usr/lib
> /pap-home/usr/lib/security
> /pap-home/usr/lib/security/pam_unix.so.1
> /pap-home/usr/lib/ld.so.1
> /pap-home/usr/lib/libc.so.1
> /pap-home/usr/lib/libdl.so.1
> /pap-home/usr/lib/libmp.so.2
> /pap-home/usr/lib/libnsl.so.1
> /pap-home/usr/lib/libsocket.so.1
> /pap-home/usr/lib/nss_compat.so.1
>
> /pap-home/usr/lib/nss_dns.so.1
> /pap-home/usr/lib/nss_files.so.1
> /pap-home/usr/lib/nss_nis.so.1
> /pap-home/usr/lib/nss_nisplus.so.1
> /pap-home/usr/lib/straddr.so
> /pap-home/usr/lib/straddr.so.2
> /pap-home/usr/lib/libbsm.so.1
> /pap-home/usr/lib/libpam.so.1
> /pap-home/usr/bin
> /pap-home/usr/bin/ls
> /pap-home/usr/bin/in.ftpd
> /pap-home/fic_pap
> /pap-home/dev
> /pap-home/dev/zero
> /pap-home/dev/tcp
> /pap-home/dev/udp
> /pap-home/dev/ticotsord
> /pap-home/dev/null
> /pap-home/bin (link to usr/bin)
>
> Now we have to customise the chrooted configuration files.
>
> First, remove all lines in /pap-home/etc/pam.conf and add
> this (this is not
> necessary as the only access is ftp, but it looks cleaner):
> ftp auth required /usr/lib/security/pam_unix.so.1
> ftp account required /usr/lib/security/pam_unix.so.1
> ftp session required /usr/lib/security/pam_unix.so.1
>
> Leave this line alone in /pap-home/etc/passwd :
> pap:x:3001:501:Chrooted ftp user:/pap-home:/usr/bin/ksh
>
> Leave this line alone in /pap-home/etc/group
> papg::501:
>
> Leave this line alone in /pap-home/etc/shadow :
> pap:MrghnIhsqmgaM:11352::::::
>
> The encrypted password could be generated in the global tree,
> then copied
> back in the chrooted one.
>
> Finally, we have to put proper permission flags on pap-home (or a
> subdirectory) to make the FTP user read and/or write files.
>
> Now everything is in place, make inetd re-read the
> configuration file (kill
> -HUP inetd), and test the FTP login on port 22 :
>
> # ftp localhost 22
> Connected to localhost.
> 220 iris FTP server (SunOS 5.6) ready.
> Name (localhost:pap): pap
> 331 Password required for pap.
> Password:
> 230 User pap logged in.
> ftp> pwd
> 257 "/" is current directory.
> ftp> dir
> 200 PORT command successful.
> 150 ASCII data connection for /bin/ls (127.0.0.1,34201) (0 bytes).
> total 32
> drwxr-xr-x 6 0 1 96 Feb 6 2001 .
> drwxr-xr-x 6 0 1 96 Feb 6 2001 ..
> lrwxrwxrwx 1 0 2 7 Jul 4 2001 bin -> usr/bin
> drwxrwxr-x 2 0 3 96 Jun 11 2001 dev
> drwxr-xr-x 3 0 1 8192 Feb 6 2001 etc
> drwxrwxrwx 2 pap prod 8192 Apr 15 17:45 fic_pap
> drwxrwxr-x 4 0 3 96 Feb 6 2001 usr
>
>
> Now you can create other user in the same tree, or under
> another dedicated
> tree (in such case you have to start the chrooted in.ftpd
> server on another
> dedicated TCP port).
>
>
>
> ---
> Sebastien DAUBIGNE
> sdaubigne at bordeaux-bersol.sema.slb.com
> <mailto:sdaubigne at bordeaux-bersol.sema.slb.com> - (+33)5.57.26.56.36
> SchlumbergerSema - SGS/DWH/Pessac
>
> -----Message d'origine-----
> De: Simoncini, Matthew [SMTP:Matthew.Simoncini at bsci.com]
> Date: mardi 16 septembre 2003 16:43
> @: 'sunhelp at sunhelp.org'
> Objet: [SunHELP] Setting up an FTP user best practice
>
> Hello gurus,
>
> I've received a request to setup a local FTP account on
> one of our
> Production Solaris servers (currently 2.6 soon to be 2.8). My
> initial
> thought was to setup anonymous ftp and chroot. I
> discussed this with
> my boss
> and he doesn't like the thought of using anonymous FTP (some
> definite FUD
> there), so I'm left with setting up a regular or guest user to
> accomplish
> this task. Does anyone have decent instructions or
> scripts that will
> help me
> accomplish this task in Solaris 2.6 or Solaris 8? If we
> were running
> Solaris
> 9, ftpconfig would be a huge help, but I don't believe this is
> available in
> earlier releases of Solaris.
>
> Any help would be appreciated.
>
> Thanks.
>
> Matthew
> _______________________________________________
> SunHELP maillist - SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp
> _______________________________________________
> SunHELP maillist - SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp
More information about the SunHELP
mailing list