RE: [proxy-suite] Chroot feature on proxy-suite
Hi, Marius and all I have another question. When I compiled proxy-suite, I enabled TCP Wrapper. Since Solaris 9 comes with TCP Wrapper, I used TCP Wrapper from the OS. I used configure utility of proxy-suite: $ cd proxy-suite source directory $ ./configure --prefix=/opt/ftp-proxy --sysconfdir=/etc --enable-warnings --enable-so-linger --with-libwrap=/usr/sfw/lib --with-libldap=/usr/lib --with-crypt=/usr/lib In the /etc/hosts.allow, I have a line: ftp-proxy: IPaddress1, IPaddress2, IPaddress3 In the ftp-proxy.conf file, I removed comment of the line "TCPWrapperName ftp-proxy" and removed the comment from line "TCPWrapper yes". Also I enabled "AllowMagicUser" and "AllowTransProxy". I tried to ftp to the box from my HP-UX workstation which IP address is not in the /etc/hosts.allow file (I don't have /etc/hosts.deny file on the ftp proxy server). $ ftp ftp-proxy.liz.com Connected to ftp-proxy.liz.com 220 ftp-proxy FTP server (Version 1.9 - 2002/05/02 15:14:55) ready. Name (HP workstation:ryan): anonymous@ftp.netscape.com 331 Password required fro anonymous. Password: ... My question is: Does my ftp proxy server supposes to reject my HP-UX workstation to connect to it? As a fact, when I tried to start ftp-proxy as a standalone daemon and TCP Wrapper libray not in my library path, it said can't find libwrap.so.1 and refuse to start which I guess ftp proxy needs TCP Wrapper lbrary to start. I tested this without chroot enabled. I would like to use TCP Wrapper with chroot enabled. Thanks in advance. Ryan Jiang Liz Claiborne, Inc. (201) 295-7171 -----Original Message----- From: Marius Tomaschewski [mailto:mt@suse.de] Sent: Monday, July 22, 2002 8:39 AM To: proxy-suite@suse.com Cc: Ruiyuan Jiang Subject: Re: [proxy-suite] Chroot feature on proxy-suite On Fri, Jul 19, 2002 at 12:52:46PM -0400, Ruiyuan Jiang wrote:
Hi, all
I would like to use chroot() feature for proxy-suite (Sun Blade 100, Solaris 9). Under /var/proxy-suite/rundir, I created directories dev, etc, usr. I linked /dev/null to null in the dev directory.
No, a link can't work - use mknod instead and create a real $ServerRoot/dev/null device.
I copied /usr/lib/libc.so to usr/lib directory and copied /etc/passwd and group files to etc subdirectory.
Make sure, there are no real passwords. You can also create dummy files instead, i.e. $ServerRoot/etc/passwd: root:*:0:0:root:/:/bin/false ftp-proxy:*:5000:5000:proxy user:/:/bin/false $ServerRoot/etc/group: root:*:0:root ftp-proxy:*:5000: or specify the User and Group as UID/GID numbers in the ftp-proxy.conf...
I tried to start ftp-proxy standalone and I got a message:
# ./ftp-proxy ftp-proxy [9278] <07/19-16:13:13> TECH-ERR can't write config file into chroot
I tried to create var/run directory under /var/proxy-suite/rundir for pid file and var/log under /var/proxy-suite/rundir for log file but I got the same message when I tried to start the daemon. Does anyone know which config file is? Thanks in advance.
The proxy writes its config into the chroot if it is not there,
to be able to reload it on SIGHUP.
Copy your /etc/proxy-suite/ftp-proxy.conf into the chroot as well.
An other solution is to make the config directory in the chroot
$ServerRoot/etc/proxy-suite/
writeable to the user the proxy runs as... But this is not needed
if you copy the config yourself.
Gruesse,
Marius Tomaschewski
On Mon, Jul 22, 2002 at 04:53:29PM -0400, Ruiyuan Jiang wrote:
Hi, Marius and all
I have another question. When I compiled proxy-suite, I enabled TCP Wrapper. Since Solaris 9 comes with TCP Wrapper, I used TCP Wrapper from the OS. I used configure utility of proxy-suite:
$ cd proxy-suite source directory $ ./configure --prefix=/opt/ftp-proxy --sysconfdir=/etc --enable-warnings --enable-so-linger --with-libwrap=/usr/sfw/lib --with-libldap=/usr/lib --with-crypt=/usr/lib
In the /etc/hosts.allow, I have a line: ftp-proxy: IPaddress1, IPaddress2, IPaddress3
In the ftp-proxy.conf file, I removed comment of the line "TCPWrapperName ftp-proxy" and removed the comment from line "TCPWrapper yes". Also I enabled "AllowMagicUser" and "AllowTransProxy".
I tried to ftp to the box from my HP-UX workstation which IP address is not in the /etc/hosts.allow file (I don't have /etc/hosts.deny file on the ftp proxy server).
$ ftp ftp-proxy.liz.com Connected to ftp-proxy.liz.com 220 ftp-proxy FTP server (Version 1.9 - 2002/05/02 15:14:55) ready. Name (HP workstation:ryan): anonymous@ftp.netscape.com 331 Password required fro anonymous. Password: ...
My question is: Does my ftp proxy server supposes to reject my HP-UX workstation to connect to it? As a fact, when I tried to start ftp-proxy as a standalone daemon and TCP Wrapper libray not in my library path, it said can't find libwrap.so.1 and refuse to start which I guess ftp proxy needs TCP Wrapper lbrary to start.
You have to copy libwrap.so.1 as well as /etc/hosts.{deny,allow}
into the chroot as well.
The proxy can't access any files from outside of the chroot...
You may use the trace ulitilies (like strace, ptrace, ltrace
or whatever they are called on the system) to see what fails.
Gruesse,
Marius Tomaschewski
participants (2)
-
Marius Tomaschewski
-
Ruiyuan Jiang