HPE Community
Operating System - HP-UX
1837173 Members
2625 Online
110113 Solutions
New Discussion

Chroot FTP account to dir not owned by root

 
SOLVED
Go to solution
Ralph Grothe
Honored Contributor

‎08-07-2007 12:42 AM

‎08-07-2007 12:42 AM

Chroot FTP account to dir not owned by root

Hi,

I was asked to create an FTP account that should only be able to login to a chroot environment in some path owned by and SAP administrative account.
I know that man ftpd details the step necessary for the standard chroot setup.
However, I fear that it won't work beacuse I cannot make the chroot dir to be owned by root and unwriteable by others like that SAP account.
Any ideas?

Regards

Ralph
Madness, thy name is system administration
0 Kudos
10 REPLIES 10
Ralph Grothe
Honored Contributor

‎08-07-2007 01:00 AM

‎08-07-2007 01:00 AM

Re: Chroot FTP account to dir not owned by root

Hm, in syslog I get "FTP LOGIN REFUSED (bad shell) FROM".
Does this mean I will have to place a full copy of /sbin/sh in the chroot's usr/bin?
Madness, thy name is system administration
0 Kudos
Ralph Grothe
Honored Contributor

‎08-07-2007 01:08 AM

‎08-07-2007 01:08 AM

Re: Chroot FTP account to dir not owned by root

No, this doesn't suffice.
I increased verbosity by giving -v for ftpd in inetd.conf and ran inetd -c.
It still is claiming "bad shell".
In the system passwd I gave ftp user an /usr/bin/false as login shell while in chroot's passwd I specified /usr/bin/sh,
because I think this path is absolute from chroot dir.
I also cp-ed /sbin/sh to chroot_dir/usr/bin
and only set x-bits on file.
Madness, thy name is system administration
0 Kudos
Ralph Grothe
Honored Contributor

‎08-07-2007 01:33 AM

‎08-07-2007 01:33 AM

Re: Chroot FTP account to dir not owned by root

When I add /usr/bin/false to /etc/shells
the login works but the chroot doesn't.
User can chroot to / and get into system's /
being able to see all files readable to him.
That's definitely not what I want.

Madness, thy name is system administration
0 Kudos
paolo barila
Valued Contributor

‎08-07-2007 06:45 PM

‎08-07-2007 06:45 PM

Re: Chroot FTP account to dir not owned by root

Hi,

are you working with WU-FTP on HP-UX ?

Which version ?

Did you set up /etc/ftpd/ftpaccess ?

I recently switched to proftpd

Pablo
share share share
0 Kudos
Ralph Grothe
Honored Contributor

‎08-07-2007 07:27 PM

‎08-07-2007 07:27 PM

Re: Chroot FTP account to dir not owned by root

Hi Paolo,

no I haven't installed WU or any other FTP server on this box yet.
I thought to simply start with the OS'es (B.11.11 PARISC) own ftpd that is fired up by inetd, because it is only one FTP account required which wouldn't necessarily justify the operation of a full-fledged stand alone FTP server.
Actually, I only now discovered that I already had created an anonymous ftp account long ago to serve as the CPAN repository for other hosts in this subnet.
The problem is, that this account needs to chroot to a completely different directory.
If it isn't possible for the standard ftpd to impose a chroot of non-anonymous ftp users as well, then I think I will have to go for a stand alone server like ProFTP etc.

Madness, thy name is system administration
0 Kudos
paolo barila
Valued Contributor

‎08-07-2007 07:52 PM

‎08-07-2007 07:52 PM

Re: Chroot FTP account to dir not owned by root

with native 11.11 ftpd you can set "-a" flag in /etc/inetd.conf

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -a -u 002

and configure a guest user in

/etc/ftpd/ftpaccess

man ftpaccess

share share share
0 Kudos
Ralph Grothe
Honored Contributor

‎08-07-2007 10:04 PM

‎08-07-2007 10:04 PM

Re: Chroot FTP account to dir not owned by root

Thank you Paolo for reminding me of ftpd's -a option in conjunction with the /etc/ftpd/ftpaccess file.
Such a file didn't exist,
and I am now trying to tinker one up with the help of man ftpaccess and the sample file in
/usr/newconfig/etc/ftpd/examples/ftpaccess

So far things don't work but still am trying.

I assume that ftpaccess is evaluated by ftpd every time it is spawned?
I think it would be rather pointless to inetd -c for every change in ftpaccess.
Madness, thy name is system administration
0 Kudos
Ralph Grothe
Honored Contributor

‎08-07-2007 10:23 PM

‎08-07-2007 10:23 PM

Re: Chroot FTP account to dir not owned by root

I misunderstood the meaning of guestgroup
within ftpaccess.
But now it is working as expected.
Thanks again for reminding me to activate the parsing of ftpaccess by supplying ftpd with the -a option.
Paolo, if you want me to pop up a bunny
please give a short reply.
Madness, thy name is system administration
0 Kudos
paolo barila
Valued Contributor

‎08-07-2007 10:55 PM

‎08-07-2007 10:55 PM

Solution

Re: Chroot FTP account to dir not owned by root

- Yes, you don't need to reissue a inetd -c

put at least a line "class"

#KEYWORD LABEL USER HOSTS
class everyone real,anonymous,guest *

# define a guestgroup in /etc/group
guestgroup ftpguest

Put in the guest user homedir
~/usr/bin owner root mode 555 (/sbin/ls mode 111 to do ls)
~/etc owner root mode 555 (copy of /etc/passwd and group)
~/public (to upload mode 0777 or 1722 if shared with other user)
~/dist (to download mode 555 file 444)
share share share
0 Kudos
Ralph Grothe
Honored Contributor

‎08-07-2007 11:00 PM

‎08-07-2007 11:00 PM

Re: Chroot FTP account to dir not owned by root

It didn't work the first time
because I forgot to insert a class stanza that contained "real" in the typelist.

So, for this pretty low key FTP traffic
ProFTPD really would have been overkill I presume.
Madness, thy name is system administration
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.