running ftp daemon in chrooted jail - how?
Hi list, Anyone point me to a good doc on how to set up ftp daemon in a chrooted environment. (I am running SuSE 8.1 which comes with the BSD FTP daemon ftpd-0.3.2-333 ... should I use this or would something like ProFTP be more 'secure'?) Many thanks, Michael
On Tuesday 22 April 2003 13.48, Michael Ryan wrote:
Anyone point me to a good doc on how to set up ftp daemon in a chrooted environment.
sorry, no docs, but i'm using a chrooted pureftpd (www.purefptd.org) along side a chrooted apache webserver (publishing users web sites) but is should work with the majority of ftp servers. just create a chroot-directory containing all libs and other necessary files used by your server (ldd the executable) and run /usr/bin/chroot /chrootdir /path/to/ftpserver alongside you chrooted server you should try the grsecurity kernel patch (www.grsecurity.org) to enforce your chroot a bit more. the problem, at least with pureftp, is that you might double chroot but that's up to you. /Thomas -- thomas@northernsecurity.net thomas@se.linux.org
Anyone point me to a good doc on how to set up ftp daemon in a chrooted environment.
sorry, no docs, but i'm using a chrooted pureftpd (www.purefptd.org) along side a chrooted apache webserver (publishing users web sites) but is should work with the majority of ftp servers. just create a chroot-directory containing all libs and other necessary files used by your server (ldd the executable) and run /usr/bin/chroot /chrootdir /path/to/ftpserver
Hm, pureftpd is fine, but vsftpd is much more easy to setup. Benefits: chrooted environment users can have their own chroot jail for their home-directory fast bandwithmanipulation small no known vulnerabilities Howto: change to an install directory or your homedirectory wget ftp://vsftpd.beasts.org/users/cevans/vsftpd-1.1.3.tar.gz tar xvfz vsftpd-1.1.3.tar.gz cd vsftpd-1.1.3 edit "builddefs.h" with your favourite editor (if needed) make make install edit /etc/vsftpd.conf add following line to /etc/inetd.conf (for xinetd look at the example in EXAMPLE/INTERNET_SITE dir): ftp stream tcp nowait root /usr/sbin/tcpd /usr/local/sbin/vsftpd if you use pam for authentification copy the pam config for ftp (example in RedHat dir) cp RedHat/vsftpd.pam /etc/pam.d/ftp type rcinetd restart (rcxinetd restart) to activate ftp
alongside you chrooted server you should try the grsecurity kernel patch (www.grsecurity.org) to enforce your chroot a bit more. the problem, at least with pureftp, is that you might double chroot but that's up to you.
Or you use kernel-capabilities to steal root's rights on files or whatever to secure things a littlebit more. Philippe
Am Dienstag, 22. April 2003 13:48 schrieb Michael Ryan:
Hi list,
Anyone point me to a good doc on how to set up ftp daemon in a chrooted environment.
(I am running SuSE 8.1 which comes with the BSD FTP daemon ftpd-0.3.2-333 ... should I use this or would something like ProFTP be more 'secure'?)
Use ProFTP and check out its documentation, IIRC it runs chroot by default.
Many thanks,
Michael
Regards Michael
Hi, You should use the package vsftp. It´s a really good ftp server with chroot enviroment. Greetings H.-W. von Husen -----Ursprüngliche Nachricht----- Von: Michael Ryan [mailto:ryanm3@eircom.net] Gesendet: Dienstag, 22. April 2003 13:49 An: suse-security@suse.com Betreff: [suse-security] running ftp daemon in chrooted jail - how? Hi list, Anyone point me to a good doc on how to set up ftp daemon in a chrooted environment. (I am running SuSE 8.1 which comes with the BSD FTP daemon ftpd-0.3.2-333 ... should I use this or would something like ProFTP be more 'secure'?) Many thanks, Michael -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here Ikarus GuardNT hat dieses eMail auf Viren und Trojaner untersucht. Nichts Verdächtiges gefunden. keine Anlagen gefunden ------------------------------------------------------- Ikarus GuardNT hat dieses eMail auf Viren und Trojaner untersucht. Nichts Verdächtiges gefunden. keine Anlagen gefunden -------------------------------------------------------
participants (5)
-
hw.vonhusen@t-online.de
-
Michael Karges
-
Michael Ryan
-
Philippe Vogel
-
Thomas Sjögren