System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

FTP chroot() broken between 11.11 -> 11.23

Steve Bonds
Trusted Contributor

FTP chroot() broken between 11.11 -> 11.23

We have a large number of "guest" users defined via /etc/passwd entries like:

ftpl795s:h/ibEx1jteb.6:10137:3017:FTP 795:/app/ftp/ftps/var/ftp/795/./:/usr/bin/false

The trailing "/./" used to mean to chroot() the user to the preceeding path.

The directory /app/ftp/ftps/var/ftp/795 contains:

011
012

On HP-UX 11.11 the following command would work when connected via FTP:

ftp> cd /011

On HP-UX 11.23 the same command gives:

ftp> cd /011
550 /011: No such file or directory.

However, using a relative path still works:

ftp> cd 011
250 CWD command successful.

"cd /" gives the real root directory. Not good.

I've checked /etc/ftpd/ftpaccess and the /etc/inetd.conf entries and it's identical to the old host, so I don't think it's misconfigured.

Any ideas? I'll also be involving HP support and will post my solution here if they're faster than you guys.
3 REPLIES
Steve Bonds
Trusted Contributor

Re: FTP chroot() broken between 11.11 -> 11.23

Classic case of not changing the config file I thought I was changing. The real /etc/inetd.conf file was still missing the "-a" option, even though I thought it was present, having been duped by a different backup copy of that file.

Once the ftpaccess file was present and inetd.conf was using "-a" for its FTP daemon, chroot() magically started working again.

At least I only had to embarrass myself publicly rather than with HP support.

Oh, wait. Darnit.
Steve Bonds
Trusted Contributor

Re: FTP chroot() broken between 11.11 -> 11.23

Be sure inetd.conf has a line like:

ftp stream tcp6 nowait root /usr/lbin/ftpd ftpd -l -a -u 002

And be sure the user has the proper home directory with an embedded "/./"

And be sure /etc/ftpaccess lists that user's group in "guestgroup"...

... and it should work.
Olivier Masse
Honored Contributor

Re: FTP chroot() broken between 11.11 -> 11.23

Another tip. In inetd.conf, replace "tcp6" with "tcp" unless you're running IPv6. When using tcp6, many options in ftpaccess become disabled and this is not very well documented. Scratched my head a long time on this one. :)