topic Re: chroot not working in Operating System - HP-UX

chroot not working

John Meissner — Thu, 20 Nov 2003 09:08:57 GMT

2 questons actually
I set up the user in the /etc/password file as such:

villaeri:password:21959:101:Name,location,,:/usr/sap/trans/./:/usr/bin/ksh

and when i ftp he goes to the correct directory "/usr/sap/trans" but is able to "cd .." to /usr/sap which is what i want to prevent.

on another note. when i use /etc/ftponly (or anthying i set up to do an exit 0) it won't let him log in. I don't seem to have an /etc/shells file either. could this be a problem? I want to prevent him from telnetting in & only want him to be able to ftp into the box

Re: chroot not working

John Poff — Thu, 20 Nov 2003 09:13:38 GMT

Hi John!

What does your ftpaccess file look like? That is where you'll need to setup the account to be restricted with chroot.

You will need an /etc/shells file to use /etc/ftponly. I would try creating /etc/shells first, with the /etc/ftponly entry, change his shell to ftponly, and try it again.

JP

Re: chroot not working

Massimo Bianchi — Thu, 20 Nov 2003 09:14:19 GMT

Hi,
i do not see where you set up the chroot..

/usr/sap/trans and /usr/sap are both accessible to a used belonging to the sapsys group, if you want to prevent this, you should really use the chroot, but doing so you will loose the chance of doing transports, because to won't find TPPARAM.

Maybe using rsh (restricted sheel) can help, but i'm not sure.

Better will bve to create a simple script that offers the user a manu of what to do, disabling ctrl+c using the trap command.

To prevent the user to login, you must first create the /etc/shell, the put therein all valid shells (sh, csh, ksh, /sbin/sh, false)
then setup /bin/false as his/her shell.

Massimo

Re: chroot not working

G. Vrijhoeven — Thu, 20 Nov 2003 09:17:38 GMT

John,

I do not know if this is the only way but this works:
Configure /etc/ftpd/ftpaccess and adjust the inetd.conf to start ftpd -a. copy usr/bin/ls to the chrooted home dir of the user.

Gideon

Re: chroot not working

Dave Hutton — Thu, 20 Nov 2003 09:18:53 GMT

Theres also an ftpaccess file that may help not allowing the person to go back a directory.

/usr/newconfig/etc/ftpd/examples/ftpaccess is a sample ftpaccess file

Dave

Re: chroot not working

John Meissner — Thu, 20 Nov 2003 09:23:56 GMT

I'm not sure if i did it correctly but by setting up "class readonly ftpusers and making the user in the group ftpusers... and also later in the file putting "upload /usr/sap/trans * no readonly" I was trying to set it up as readonly for this user... what did i do wrong?
here is what my /etc/ftpd/ftpaccess file looks like:

loginfails 2

class all real *
class readonly ftpusers

limit local 20 Any /etc/msgs/msg.toomany
limit remote 100 SaSu|Any1800-0600 /etc/msgs/msg.toomany
limit remote 60 Any /etc/msgs/msg.toomany

readme README* login
readme README* cwd=*

message /welcome.msg login
message .message cwd=*

compress yes local remote
tar yes local remote

# allow use of private file for SITE GROUP and SITE GPASS?
private yes

# passwd-check []
passwd-check rfc822 warn

log commands real
log transfers anonymous,real,ftpusers inbound,outbound
shutdown /etc/shutmsg

# all the following default to "yes" for everybody
delete no guest,anonymous # delete permission?
overwrite no guest,anonymous # overwrite permission?
rename no guest,anonymous # rename permission?
chmod no anonymous # chmod permission?
umask no anonymous # umask permission?

# specify the upload directory information
upload /var/ftp * no
upload /var/ftp /incoming yes root daemon 0600 dirs
upload /var/ftp /bin no
upload /var/ftp /etc no
upload /usr/sap/trans * no readonly
# directory aliases
alias inc /incoming
# cdpath
cdpath /incoming
cdpath /pub
cdpath /

# path-filter...
path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-

# specify which group of users will be treated as "guests".
#guestgroup ftpusers

email user@hostname

Re: chroot not working

John Meissner — Thu, 20 Nov 2003 09:25:32 GMT

Yes... i added the -a in the inetd.conf file... and did an inetd -c ... i used the sample file as my basis for setting the ftpaccess up but i probably didn't do it correctly.

Re: chroot not working

john korterman — Thu, 20 Nov 2003 09:34:16 GMT

Hi,
long time no see...
You need to specify in /etc/ftpd/ftpaccess that the user in question is a member of the guestgroup. That is at least one explanation why the restrictions do no apply. A simple test for checking is to look at what happens when the ftp session is esablished. If the phrase: "Access restrictions apply" appears at login for the user, the restrictions are active. If not, they are disregarded.

regards,
John K.

Re: chroot not working

G. Vrijhoeven — Thu, 20 Nov 2003 09:37:28 GMT

Hi,

provide the user with ls, check /var/adm/syslog.log for messages..

Shell must can be /bin/false, but you must put it in /etc/shells

Gideon

Re: chroot not working

John Meissner — Thu, 20 Nov 2003 09:37:59 GMT

Hi... yeah.. i've been away for a while... "hi everyone" ...

The user is a member of the group ftpusers which is defined as their primary group. I also specify ftpusers in the ftpaccess file... but am i doing it correctly? or do i have to specify the user specifically? and once i do ... how do i set their access to read only? sorry for all the questions

Re: chroot not working

john korterman — Thu, 20 Nov 2003 09:44:25 GMT

Hi,
just asked, as this looks uncommented:
#guestgroup ftpusers
in your ftpaccess file, meaning that no user group at all is regarded as a guestgroup.
BTW, remember to restart inetd after every change in ftpaccess.

regards,
John K.

Re: chroot not working

John Meissner — Thu, 20 Nov 2003 09:49:40 GMT

Yes... it was commented out becuase when i leave it uncommented i get the following error:

530 User villaeri access denied....
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.

but when i comment it out the log in works.

Re: chroot not working

john korterman — Thu, 20 Nov 2003 10:04:49 GMT

Hi,
try changing the user config. of the home dir in /etc/passwd to e.g.:
.....:/usr/sap/trans/./vialeridir:/usr/bin/false
and create the valieridir under /usr/sap/trans, owned by valieri.
You would normally make a common ftp users dir, in this case /usr/sap/trans and then make each ftp user's dir below. I think that your current configuration tries to make the "normal" root dir valieri's home dir.
You also should uncomment the guestgroup line in ftpaccess and restart inetd.
Good luck.

regards,
John K.

Re: chroot not working

John Meissner — Thu, 20 Nov 2003 10:15:35 GMT

John... i got the same error... 530 user villaeri access denied...

seems like it doesn't let anyone in guestgroup log in for some reason. can i set him up in another mannor?

Re: chroot not working

John Meissner — Thu, 20 Nov 2003 10:18:30 GMT

setting up the other directory as you suggested and commenting the guestgroup out again did log him in to /usr/sap/trans/villaeri ... but i don't want to allow him to cd .. from /usr/sap trans... not sure why it's not working.

I also have to make his access read only without changing the permissions of any files. gotta love this stuff :(

Re: chroot not working

John Poff — Thu, 20 Nov 2003 10:30:38 GMT

John,

On my Linux ftp server which uses ftpaccess and has an ftpusers group just like you are trying to use, I have an entry in my ftpaccess file like this:

class ftpusers guest *

Give it a try with this line and with the guestgroup ftpusers uncommented.

JP

Re: chroot not working

John Meissner — Thu, 20 Nov 2003 10:38:40 GMT

John. That makes the chroot command work perfectly! he ends up in the villaeri directory i created under /usr/sap/trans... and it sees /usr/sap/trans as / ... the one problem is that when i do an ls nothing displays in /usr/sap/trans... any idea?

Re: chroot not working

John Poff — Thu, 20 Nov 2003 10:40:27 GMT

Does he have permission to see any of those files?

I saw your note about having to make it all be read-only. I'm still thinking over that one.

JP

Re: chroot not working

John Meissner — Thu, 20 Nov 2003 10:45:33 GMT

John - yes. the permissions on almost all the files in the /usr/sap/trans are 755 so he does have read permissions on them - they are all directories

Re: chroot not working

Massimo Bianchi — Thu, 20 Nov 2003 10:46:26 GMT

What are , exaclty, uid and gid for villaeri ?
What are the permissions for /usr/sap and /usr/sap/trans, /usr/sap/trans/villaeri ?

Massimo