RE: [proxy-suite] Chroot feature on proxy-suite
Thanks. It seems that I can start ftp-proxy daemon as standalone. When I tried to access outside ftp server, i.e. ftp.sun.com, I got a messages: # ftp ftp-proxy.liz.com Connected to ftp-proxy.liz.com 220 ftp-proxy FTP server (Version 1.9 - 2002/05/02 15:14:55) ready. Name (ftp-proxy:ryan): anonymous@ftp.sun.com 501 Invalid destination in user name. Login failed. ftp>quit I commented out "chroot" statement in the configuration file so the ftp proxy server runs as normal. I did the same thing to acess ftp.sun.com. and I can access the ftp server without problem. It seemed to me that ftp proxy server can't run chroot mode at least for client side. Is this true? Thanks in advance. Ryan Jiang Liz Claiborne, Inc. (201) 295-7171 -----Original Message----- From: Marius Tomaschewski [mailto:mt@suse.de] Sent: Monday, July 22, 2002 8:39 AM To: proxy-suite@suse.com Cc: Ruiyuan Jiang Subject: Re: [proxy-suite] Chroot feature on proxy-suite On Fri, Jul 19, 2002 at 12:52:46PM -0400, Ruiyuan Jiang wrote:
Hi, all
I would like to use chroot() feature for proxy-suite (Sun Blade 100, Solaris 9). Under /var/proxy-suite/rundir, I created directories dev, etc, usr. I linked /dev/null to null in the dev directory.
No, a link can't work - use mknod instead and create a real $ServerRoot/dev/null device.
I copied /usr/lib/libc.so to usr/lib directory and copied /etc/passwd and group files to etc subdirectory.
Make sure, there are no real passwords. You can also create dummy files instead, i.e. $ServerRoot/etc/passwd: root:*:0:0:root:/:/bin/false ftp-proxy:*:5000:5000:proxy user:/:/bin/false $ServerRoot/etc/group: root:*:0:root ftp-proxy:*:5000: or specify the User and Group as UID/GID numbers in the ftp-proxy.conf...
I tried to start ftp-proxy standalone and I got a message:
# ./ftp-proxy ftp-proxy [9278] <07/19-16:13:13> TECH-ERR can't write config file into chroot
I tried to create var/run directory under /var/proxy-suite/rundir for pid file and var/log under /var/proxy-suite/rundir for log file but I got the same message when I tried to start the daemon. Does anyone know which config file is? Thanks in advance.
The proxy writes its config into the chroot if it is not there,
to be able to reload it on SIGHUP.
Copy your /etc/proxy-suite/ftp-proxy.conf into the chroot as well.
An other solution is to make the config directory in the chroot
$ServerRoot/etc/proxy-suite/
writeable to the user the proxy runs as... But this is not needed
if you copy the config yourself.
Gruesse,
Marius Tomaschewski
On Mon, Jul 22, 2002 at 03:41:57PM -0400, Ruiyuan Jiang wrote:
Thanks. It seems that I can start ftp-proxy daemon as standalone. When I tried to access outside ftp server, i.e. ftp.sun.com, I got a messages:
# ftp ftp-proxy.liz.com Connected to ftp-proxy.liz.com 220 ftp-proxy FTP server (Version 1.9 - 2002/05/02 15:14:55) ready. Name (ftp-proxy:ryan): anonymous@ftp.sun.com 501 Invalid destination in user name. Login failed. ftp>quit
I commented out "chroot" statement in the configuration file so the ftp proxy server runs as normal. I did the same thing to acess ftp.sun.com. and I can access the ftp server without problem. It seemed to me that ftp proxy server can't run chroot mode at least for client side. Is this true? Thanks in advance.
No, you need more libraries in the chroot, at _least_ the libs
you can see using ldd - for example:
# ldd ftp-proxy
libldap.so.4 => /usr/lib/libldap.so.4
libresolv.so.2 => /usr/lib/libresolv.so.2
libnsl.so.1 => /usr/lib/libnsl.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libc.so.1 => /usr/lib/libc.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libmp.so.2 => /usr/lib/libmp.so.2
In the case you get "Invalid destination" (like above)
the proxy is not able to resolve the hostname. Try out
using IP-Number - this may work, i.e.:
ftp ftp-proxy.liz.com
Name (ftp-proxy:ryan): anonymous@217.9.113.66
Solaris is using /etc/nsswitch.conf - you need the corresponding
libraries, i.e. if you are using following /etc/nsswitch.conf:
#
# /etc/nsswitch.dns:
#
passwd: files
group: files
hosts: files dns
you need the libraries /usr/lib/nss_files* /usr/lib/nss_dns*.
Further you need the /etc/nsswitch.conf, /etc/hosts (or
/etc/inet/hosts), /etc/host.conf(?), /etc/resolv.conf,
/etc/services and /etc/protocols in the chroot as well.
Kind regards,
Marius Tomaschewski
participants (2)
-
Marius Tomaschewski
-
Ruiyuan Jiang