HPE Community
Operating System - HP-UX
1836752 Members
2618 Online
110109 Solutions
New Discussion

SITE EXEC on ftpd for a chroot'ed guest user

 
Ian Dennison_1
Honored Contributor

‎05-17-2012 01:18 AM

‎05-17-2012 01:18 AM

SITE EXEC on ftpd for a chroot'ed guest user

I am having a vast amount of hassle getting an FTP user in the guest group to run a "site exec" command. The man page is fairly unhelpful in that it only talks about regular and anonymous site execs.

 

Has anyone managed to achieve this? The user's sample home directory is "/usr/sap/cust/./aaa/incoming".

 

Share and Enjoy! Ian

Building a dumber user
0 Kudos
Reply
1 REPLY 1
Matti_Kurkela
Honored Contributor

‎05-18-2012 07:10 AM

‎05-18-2012 07:10 AM

Re: SITE EXEC on ftpd for a chroot'ed guest user

What is the binary the chrooted FTP user is supposed to run with the "site exec" command?

Run "ldd <binary_pathname>" to see which library files it depends on, and make copies of those libraries available in <chroot>/lib and/or <chroot>/usr/lib, as appropriate.Then check those libraries too, in case the libraries themselves depend on other libraries.

 

In your case, the library directories would apparently be /usr/sap/cust/lib and /usr/sap/cust/usr/lib.

 

You cannot get away with making symbolic links: you must make actual copies of the necessary libraries.

 

Perhaps surprisingly, a copy of /dev/null is very likely required. Just create the /usr/sap/cust/dev directory, and use mknod to create a duplicate of the real /dev/null device node, using the same major/minor device numbers as the real one.

 

You may also have to supply copies of some basic configuration files in <chroot>/etc: perhaps a stub /usr/sap/cust/etc/passwd with only the FTP users' own entries. The actual password hashes should not be necessary: the file only needs to have the correct format, so that libc's user/group lookup routines can function.

 

If the binary the chrooted user must run is complex, you may have to test it with "truss" or similar tool to identify all the system files it reads, and then provide suitable replacements inside the chroot environment.

MK
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.