Hi,
I am playing around with ftp-proxy from SuSE 7.0, fwproxys-1.7-12.
The standard features works fine, I like configurable options like
"ValidCommands" ;-)
If ftp-proxy works in inet-mode, a file "LogDestination" like
/var/log/ftp-proxy.log would be overwriten after every start of a new
ftp-proxy process.
ServerRoot doesn't work with the SuSE 7.0 environment. SuSE installs
a directory /var/ftp-proxy/rundir (empty), the ftp-proxy ist statically
linked.
The error message is:
TECH-ERR can't chroot to '/var/ftp-proxy/rundir'
(errno=1 [Operation not permitted])
The permissions on the chroot directory are
drwxr-x--- root root 1024 Jul 29 21:41 /var/ftp-proxy/rundir
I'am using User=ftpproxy and Group=nogroup, so I tried
chown ftpproxy.nogroup /var/ftp-proxy/rundir
but it doesn't work. I don't know exactly how chroot works. Can somebody
here explain, how it should work?
It would be also nice, if SuSE can ship a rpm package which works in a
chroot environment at default.
At least an idea: if ftp-proxy would recognize '%' as an '@' in an
AllowMagicUser case, we can use the url
ftp://<user>%ftp.suse.com@proxy-in.mydomain:<port>/
with browsers like netscape (as an alternative way to transparent proxy).
--
On Thu, Aug 31, 2000 at 04:33:08PM +0200, Wolfgang Barth wrote:
Hi,
Hi!
I am playing around with ftp-proxy from SuSE 7.0, fwproxys-1.7-12.
The standard features works fine, I like configurable options like "ValidCommands" ;-)
If ftp-proxy works in inet-mode, a file "LogDestination" like /var/log/ftp-proxy.log would be overwriten after every start of a new ftp-proxy process.
Yes, I don't like this too ;-)
ServerRoot doesn't work with the SuSE 7.0 environment. SuSE installs a directory /var/ftp-proxy/rundir (empty), the ftp-proxy ist statically linked.
It is not really possible to link a glibc binary statically (see below). You have to put following files/dirs into your chroot: # find . | xargs ls -ld drwxr-xr-x 8 bin ftp-int 149 Aug 13 20:04 . drwxr-xr-x 2 bin ftp-int 35 Aug 13 20:04 ./bin drwxr-xr-x 2 bin ftp-int 74 Aug 28 19:57 ./dev srw-rw-rw- 1 root root 0 Aug 28 19:57 ./dev/log crw-rw-rw- 1 bin ftp-int 1, 3 Jun 9 17:18 ./dev/null drwxr-xr-x 3 bin ftp-int 236 Aug 28 19:00 ./etc -rw-r--r-- 1 bin ftp-int 242 Jun 9 17:15 ./etc/host.conf -rw-r--r-- 1 bin ftp-int 801 Aug 28 00:50 ./etc/hosts -rw-r--r-- 1 root root 63 Aug 28 19:00 ./etc/ld.so.cache -rw-r--r-- 1 bin ftp-int 755 Mar 11 09:36 ./etc/localtime -rw-r--r-- 1 bin ftp-int 1339 Jan 3 2000 ./etc/protocols drwxr-xr-x 2 bin ftp-int 66 Aug 28 19:00 ./etc/proxy-suite -rw-r--r-- 1 bin ftp-int 11351 Aug 13 20:02 ./etc/proxy-suite/ftp-proxy.conf -rw-r--r-- 1 bin ftp-int 265 Jun 9 17:15 ./etc/resolv.conf -rw-r--r-- 1 bin ftp-int 208274 Mar 13 16:42 ./etc/services drwxr-xr-x 2 bin ftp-int 65 Aug 13 20:04 ./lib -rwxr-xr-x 1 bin ftp-int 162506 Mar 11 09:35 ./lib/libresolv.so.2 drwxr-xr-x 3 bin ftp-int 55 Aug 13 20:04 ./usr drwxr-xr-x 2 bin ftp-int 61 Aug 13 20:06 ./usr/sbin -rwxr-xr-x 1 bin ftp-int 497348 Aug 13 20:05 ./usr/sbin/ftp-proxy drwxr-xr-x 3 bin ftp-int 54 Aug 13 20:04 ./var drwxrwxr-x 2 ftp-int ftp-int 64 Aug 28 19:00 ./var/run -rw-r--r-- 1 root ftp-int 4 Aug 28 19:00 ./var/run/ftp-proxy.pid I use it in this way with compartment (is on 7.0 in the a series, I mean) and start it as daemon: proxy_config=/etc/proxy-suite/ftp-proxy.conf PATH="/bin:/sbin:/usr/bin:/usr/sbin" \ /usr/sbin/compartment --fork \ --group ftp-int --cap CAP_NET_BIND_SERVICE --chroot /var/chroot/ftp-intern \ /usr/sbin/ftp-proxy -f $proxy_config In this way it runs as "root:ftp-int" but with dropped root privileges, so it can only bind a port < 1024 (it can not overwrite files, because they are owned by bin here). You have also to add a syslog-socket - in this case /var/chroot/ftp-intern/dev/null if you log via syslog or give write permissions to the directory it logs to. The chroot is similar if you use the ServerRoot, User and Group directives in the ftp-proxy.conf... I this case you have to put also the /lib/libnss* stuff and /etc/nsswitch.conf into the chroot, otherwise it can't resolve the user/group... IMHO this should be: -rwxr-xr-x 1 bin squid 342427 Mar 11 09:36 ld-linux.so.2 -rwxr-xr-x 1 bin squid 4061504 Mar 11 09:34 libc.so.6 -rwxr-xr-x 1 bin squid 60988 Mar 11 09:35 libcrypt.so.1 -rwxr-xr-x 1 bin squid 71846 Mar 11 09:36 libdl.so.2 -rwxr-xr-x 1 bin squid 525197 Mar 11 09:35 libm.so.6 -rwxr-xr-x 1 bin squid 369801 Mar 11 09:35 libnsl.so.1 -rwxr-xr-x 1 bin squid 215569 Mar 11 09:36 libnss_compat.so.2 -rwxr-xr-x 1 bin squid 193097 Mar 11 09:35 libnss_db.so.2 -rwxr-xr-x 1 bin squid 63453 Mar 11 09:35 libnss_dns.so.2 -rwxr-xr-x 1 bin squid 63782 Mar 11 09:35 libnss_dns6.so.2 -rwxr-xr-x 1 bin squid 235932 Mar 11 09:35 libnss_files.so.2 -rwxr-xr-x 1 bin squid 70290 Mar 11 09:36 libnss_hesiod.so.2 -rwxr-xr-x 1 bin squid 254023 Mar 11 09:35 libnss_nis.so.2 -rwxr-xr-x 1 bin squid 256465 Mar 11 09:36 libnss_nisplus.so.2 -rwxr-xr-x 1 bin squid 31449 Mar 11 09:06 libpam.so.0 -rwxr-xr-x 1 bin squid 162506 Mar 11 09:35 libresolv.so.2 this is from my squid chroot ;-)
The error message is: TECH-ERR can't chroot to '/var/ftp-proxy/rundir' (errno=1 [Operation not permitted])
The permissions on the chroot directory are drwxr-x--- root root 1024 Jul 29 21:41 /var/ftp-proxy/rundir
I'am using User=ftpproxy and Group=nogroup, so I tried chown ftpproxy.nogroup /var/ftp-proxy/rundir but it doesn't work. I don't know exactly how chroot works. Can somebody here explain, how it should work?
It would be also nice, if SuSE can ship a rpm package which works in a chroot environment at default.
Hmm... sent me a mail when we are doing a 7.1 CDs so I do not forget to do it :-)
At least an idea: if ftp-proxy would recognize '%' as an '@' in an AllowMagicUser case, we can use the url
ftp://<user>%ftp.suse.com@proxy-in.mydomain:<port>/
with browsers like netscape (as an alternative way to transparent proxy).
This should be a good idea...
Volker: what do you think about?
I mean, we can implement this without to break the current
way - simply check if there is a %, if not @ is used...
Gruesse,
Marius Tomaschewski
participants (2)
-
Marius Tomaschewski
-
Wolfgang Barth