1833784 Members
5103 Online
110063 Solutions
New Discussion

chroot not working

 
SOLVED
Go to solution
John Meissner
Esteemed Contributor

chroot not working

2 questons actually
I set up the user in the /etc/password file as such:

villaeri:password:21959:101:Name,location,,:/usr/sap/trans/./:/usr/bin/ksh

and when i ftp he goes to the correct directory "/usr/sap/trans" but is able to "cd .." to /usr/sap which is what i want to prevent.

on another note. when i use /etc/ftponly (or anthying i set up to do an exit 0) it won't let him log in. I don't seem to have an /etc/shells file either. could this be a problem? I want to prevent him from telnetting in & only want him to be able to ftp into the box
All paths lead to destiny
27 REPLIES 27
John Poff
Honored Contributor

Re: chroot not working

Hi John!

What does your ftpaccess file look like? That is where you'll need to setup the account to be restricted with chroot.

You will need an /etc/shells file to use /etc/ftponly. I would try creating /etc/shells first, with the /etc/ftponly entry, change his shell to ftponly, and try it again.

JP
Massimo Bianchi
Honored Contributor
Solution

Re: chroot not working

Hi,
i do not see where you set up the chroot..

/usr/sap/trans and /usr/sap are both accessible to a used belonging to the sapsys group, if you want to prevent this, you should really use the chroot, but doing so you will loose the chance of doing transports, because to won't find TPPARAM.

Maybe using rsh (restricted sheel) can help, but i'm not sure.

Better will bve to create a simple script that offers the user a manu of what to do, disabling ctrl+c using the trap command.

To prevent the user to login, you must first create the /etc/shell, the put therein all valid shells (sh, csh, ksh, /sbin/sh, false)
then setup /bin/false as his/her shell.

Massimo


G. Vrijhoeven
Honored Contributor

Re: chroot not working

John,

I do not know if this is the only way but this works:
Configure /etc/ftpd/ftpaccess and adjust the inetd.conf to start ftpd -a. copy usr/bin/ls to the chrooted home dir of the user.

Gideon

Dave Hutton
Honored Contributor

Re: chroot not working

Theres also an ftpaccess file that may help not allowing the person to go back a directory.

/usr/newconfig/etc/ftpd/examples/ftpaccess is a sample ftpaccess file

Dave
John Meissner
Esteemed Contributor

Re: chroot not working

I'm not sure if i did it correctly but by setting up "class readonly ftpusers and making the user in the group ftpusers... and also later in the file putting "upload /usr/sap/trans * no readonly" I was trying to set it up as readonly for this user... what did i do wrong?
here is what my /etc/ftpd/ftpaccess file looks like:

loginfails 2

class all real *
class readonly ftpusers

limit local 20 Any /etc/msgs/msg.toomany
limit remote 100 SaSu|Any1800-0600 /etc/msgs/msg.toomany
limit remote 60 Any /etc/msgs/msg.toomany

readme README* login
readme README* cwd=*

message /welcome.msg login
message .message cwd=*

compress yes local remote
tar yes local remote

# allow use of private file for SITE GROUP and SITE GPASS?
private yes

# passwd-check []
passwd-check rfc822 warn

log commands real
log transfers anonymous,real,ftpusers inbound,outbound
shutdown /etc/shutmsg

# all the following default to "yes" for everybody
delete no guest,anonymous # delete permission?
overwrite no guest,anonymous # overwrite permission?
rename no guest,anonymous # rename permission?
chmod no anonymous # chmod permission?
umask no anonymous # umask permission?

# specify the upload directory information
upload /var/ftp * no
upload /var/ftp /incoming yes root daemon 0600 dirs
upload /var/ftp /bin no
upload /var/ftp /etc no
upload /usr/sap/trans * no readonly
# directory aliases
alias inc /incoming
# cdpath
cdpath /incoming
cdpath /pub
cdpath /

# path-filter...
path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-

# specify which group of users will be treated as "guests".
#guestgroup ftpusers

email user@hostname
All paths lead to destiny
John Meissner
Esteemed Contributor

Re: chroot not working

Yes... i added the -a in the inetd.conf file... and did an inetd -c ... i used the sample file as my basis for setting the ftpaccess up but i probably didn't do it correctly.
All paths lead to destiny
john korterman
Honored Contributor

Re: chroot not working

Hi,
long time no see...
You need to specify in /etc/ftpd/ftpaccess that the user in question is a member of the guestgroup. That is at least one explanation why the restrictions do no apply. A simple test for checking is to look at what happens when the ftp session is esablished. If the phrase: "Access restrictions apply" appears at login for the user, the restrictions are active. If not, they are disregarded.

regards,
John K.
it would be nice if you always got a second chance
G. Vrijhoeven
Honored Contributor

Re: chroot not working

Hi,

provide the user with ls, check /var/adm/syslog.log for messages..

Shell must can be /bin/false, but you must put it in /etc/shells

Gideon

John Meissner
Esteemed Contributor

Re: chroot not working

Hi... yeah.. i've been away for a while... "hi everyone" ...

The user is a member of the group ftpusers which is defined as their primary group. I also specify ftpusers in the ftpaccess file... but am i doing it correctly? or do i have to specify the user specifically? and once i do ... how do i set their access to read only? sorry for all the questions
All paths lead to destiny
john korterman
Honored Contributor

Re: chroot not working

Hi,
just asked, as this looks uncommented:
#guestgroup ftpusers
in your ftpaccess file, meaning that no user group at all is regarded as a guestgroup.
BTW, remember to restart inetd after every change in ftpaccess.

regards,
John K.
it would be nice if you always got a second chance
John Meissner
Esteemed Contributor

Re: chroot not working

Yes... it was commented out becuase when i leave it uncommented i get the following error:

530 User villaeri access denied....
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.

but when i comment it out the log in works.
All paths lead to destiny
john korterman
Honored Contributor

Re: chroot not working

Hi,
try changing the user config. of the home dir in /etc/passwd to e.g.:
.....:/usr/sap/trans/./vialeridir:/usr/bin/false
and create the valieridir under /usr/sap/trans, owned by valieri.
You would normally make a common ftp users dir, in this case /usr/sap/trans and then make each ftp user's dir below. I think that your current configuration tries to make the "normal" root dir valieri's home dir.
You also should uncomment the guestgroup line in ftpaccess and restart inetd.
Good luck.

regards,
John K.
it would be nice if you always got a second chance
John Meissner
Esteemed Contributor

Re: chroot not working

John... i got the same error... 530 user villaeri access denied...

seems like it doesn't let anyone in guestgroup log in for some reason. can i set him up in another mannor?
All paths lead to destiny
John Meissner
Esteemed Contributor

Re: chroot not working

setting up the other directory as you suggested and commenting the guestgroup out again did log him in to /usr/sap/trans/villaeri ... but i don't want to allow him to cd .. from /usr/sap trans... not sure why it's not working.

I also have to make his access read only without changing the permissions of any files. gotta love this stuff :(
All paths lead to destiny
John Poff
Honored Contributor

Re: chroot not working

John,

On my Linux ftp server which uses ftpaccess and has an ftpusers group just like you are trying to use, I have an entry in my ftpaccess file like this:

class ftpusers guest *

Give it a try with this line and with the guestgroup ftpusers uncommented.

JP
John Meissner
Esteemed Contributor

Re: chroot not working

John. That makes the chroot command work perfectly! he ends up in the villaeri directory i created under /usr/sap/trans... and it sees /usr/sap/trans as / ... the one problem is that when i do an ls nothing displays in /usr/sap/trans... any idea?
All paths lead to destiny
John Poff
Honored Contributor

Re: chroot not working

Does he have permission to see any of those files?

I saw your note about having to make it all be read-only. I'm still thinking over that one.

JP
John Meissner
Esteemed Contributor

Re: chroot not working

John - yes. the permissions on almost all the files in the /usr/sap/trans are 755 so he does have read permissions on them - they are all directories
All paths lead to destiny
Massimo Bianchi
Honored Contributor

Re: chroot not working

What are , exaclty, uid and gid for villaeri ?
What are the permissions for /usr/sap and /usr/sap/trans, /usr/sap/trans/villaeri ?

Massimo
John Meissner
Esteemed Contributor

Re: chroot not working

uid is 21959 and gid is 101

i also just did a nlist and all the directories displayed. any way to alias nlist to ls?
All paths lead to destiny
John Meissner
Esteemed Contributor

Re: chroot not working

I fixed the ls issue...
since this user is seeing /usr/sap/trans as /
i had to creat /usr/bin/ and /usr/lib under /usr/sap/trans and copy the nexessary files there for him to run the ls command
All paths lead to destiny
John Poff
Honored Contributor

Re: chroot not working

John,

I was just thinking about that. When you configure anonymous ftp [and the guest service in ftp is basically the same thing], you have to setup a separate directory for the ls and a few other commands. I don't remember where it goes off of the top of my head, but there is a specific place to put it, which is outside of the directory your user is landing in. Probably you'll want to dig up the docs on setting up anonymous ftp and check it out. It may be safer in the long run.

Have fun!

JP
John Meissner
Esteemed Contributor

Re: chroot not working

safer than copying the files directly into the ftp / :) just kidding.. i'll have to look that up. :) good to see you again John... it's been a while ...you're not an olympian yet? :)

I think everything is set up now... i check and i'm not able to put anythig which is exactly what i wanted. I'll have to test this a little before i give it to the user... his boss doesn't trust him so that's why i'm setting it up.
All paths lead to destiny
John Poff
Honored Contributor

Re: chroot not working

Good to see you again too! Olympian? I'm taking the scenic route. Actually, they started making me do some real work this year and they are getting used to the idea. I'm managing to squeeze in some time here and there. Things were looking up until I foolishly volunteered that I had previous experience with a software package they had just bought, and they rewarded my big mouth by putting me in charge of the project. Oops!

I know the feeling about your user. We have a few here also. ;)

JP