System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

SITE EXEC on ftpd for a chroot'ed guest user

 
Ian Dennison_1
Honored Contributor

SITE EXEC on ftpd for a chroot'ed guest user

I am having a vast amount of hassle getting an FTP user in the guest group to run a "site exec" command. The man page is fairly unhelpful in that it only talks about regular and anonymous site execs.

 

Has anyone managed to achieve this? The user's sample home directory is "/usr/sap/cust/./aaa/incoming".

 

Share and Enjoy! Ian

Building a dumber user
1 REPLY
Matti_Kurkela
Honored Contributor

Re: SITE EXEC on ftpd for a chroot'ed guest user

What is the binary the chrooted FTP user is supposed to run with the "site exec" command?

Run "ldd <binary_pathname>" to see which library files it depends on, and make copies of those libraries available in <chroot>/lib and/or <chroot>/usr/lib, as appropriate.Then check those libraries too, in case the libraries themselves depend on other libraries.

 

In your case, the library directories would apparently be /usr/sap/cust/lib and /usr/sap/cust/usr/lib.

 

You cannot get away with making symbolic links: you must make actual copies of the necessary libraries.

 

Perhaps surprisingly, a copy of /dev/null is very likely required. Just create the /usr/sap/cust/dev directory, and use mknod to create a duplicate of the real /dev/null device node, using the same major/minor device numbers as the real one.

 

You may also have to supply copies of some basic configuration files in <chroot>/etc: perhaps a stub /usr/sap/cust/etc/passwd with only the FTP users' own entries. The actual password hashes should not be necessary: the file only needs to have the correct format, so that libc's user/group lookup routines can function.

 

If the binary the chrooted user must run is complex, you may have to test it with "truss" or similar tool to identify all the system files it reads, and then provide suitable replacements inside the chroot environment.

MK