HPE Community
Operating System - HP-UX
1833784 Members
2087 Online
110063 Solutions
New Discussion

ftp restricted user and chroot

 
Peter Blinks
New Member

‎11-09-2000 10:08 AM

‎11-09-2000 10:08 AM

ftp restricted user and chroot

Creating a HPUX v11 restricted ftp user and trying to force a chroot to it's home directory. It does the chdir OK, but the user ftp session can still cd up the directory tree (in the wrong direction!) and view files.
The passwd entry is:-
user:*:550:3334:,,,:/local/data/user/./:/usr/bin/ftpshell
The ftpshell does an "exit 0" to disallow login.
The /etc/ftpd/ftpaccess has got the 3334 group added in guestgroups.
I've added the "ftpd -a -l" in the inetd.conf to read the ftpaccess file for allowed guest groups and restarted inetd daemon.
Any ideas?
0 Kudos
Reply
4 REPLIES 4
James R. Ferguson
Acclaimed Contributor

‎11-09-2000 12:48 PM

‎11-09-2000 12:48 PM

Re: ftp restricted user and chroot

Peter:

See if this thread helps resolve your problem:

http://my1.itrc.hp.com/cm/QuestionAnswer/1,1150,0x05970559ff7cd4118fef0090279cd0f9,00.html

...JRF...
0 Kudos
Reply
Peter Blinks
New Member

‎11-10-2000 02:22 AM

‎11-10-2000 02:22 AM

Re: ftp restricted user and chroot

Thanks James.
That is indeed the document I used to set this ftp user up, and I've re-checked it many times with no luck. So I'm still stuck.
0 Kudos
Reply
Stephane Fromholtz
Advisor

‎04-26-2002 01:12 AM

‎04-26-2002 01:12 AM

Re: ftp restricted user and chroot

your /etc/ftpd/ftpaccess is enabled by the use of the -a option on ftpd in /etc/inetd.conf. This file includes a 'guestgroup ftponly', this means that a user that will be part of this group will be chrooted.

All other parts of the config are Ok (ftpshell with exit 0, etc...). Did you include the line

/usr/bin/ftpshell

in the file /etc/shells ?
This is important.
0 Kudos
Reply
Shannon Petry
Honored Contributor

‎04-26-2002 08:36 AM

‎04-26-2002 08:36 AM

Re: ftp restricted user and chroot

I wrote a descent document for handeling chroot in wu-ftpd a while ago. You can find it at:

http://www.invenioeng.com/systems/index.html

Select the top link to documents, then to ftp server docs.

Some things I do...

1. chrooted user entry home should be
/dir/home/./johndoe

I make the home dirs owned by root and 555 permissions. Nothing but .message, blank .rhosts, blank .forward is in their home. (obvious security issues resolved) I give them an incoming and outgoing directory in their home that they own. permissions 700. People can cd .. and see other's home's but never access data.

If you dont want them to see each other's stuff, you will have to create separate chrooted stuff in each users home. I.E. /bin/ls, /etc/passwd, etc...

If your not comfortable with the above, use proftpd. It supports chrooted environments without all the binaries, only requires /etc/messages in each users home.

BTW: standard is to use /bin/false for ftp users so that they can not telnet in . It does the same as your ftpshell, but is standard on all systems.

Regards,
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.