RE: [opensuse] Restricting a user to one directory for FTP access
-----Original Message----- From: John Meyer [mailto:pueblonative@opensuse.us] Sent: Saturday, May 10, 2008 9:15 PM To: opensuse@opensuse.org Subject: [opensuse] Restricting a user to one directory for FTP access I had a friend who's a novice on Linux ask me about this so I'm looking for a solution that is relatively simple. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Have the ftp service you're using chroot the logins. I use proftp and setting up chroot is a one line option in its config file. <snip> # To cause every FTP user to be "jailed" (chrooted) into their home # directory, uncomment this line. DefaultRoot ~ <snip> Best, ~James -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, May 10, 2008 at 10:10 PM, James D. Parra
Have the ftp service you're using chroot the logins. I use proftp and setting up chroot is a one line option in its config file.
Chroot is not that hard to break out of. But I do concur on Proftpd, it is very configurable and easily handles this type of restriction. -- ----------JSA--------- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James D. Parra wrote:
-----Original Message----- From: John Meyer [mailto:pueblonative@opensuse.us] Sent: Saturday, May 10, 2008 9:15 PM To: opensuse@opensuse.org Subject: [opensuse] Restricting a user to one directory for FTP access
I had a friend who's a novice on Linux ask me about this so I'm looking for a solution that is relatively simple. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Have the ftp service you're using chroot the logins. I use proftp and setting up chroot is a one line option in its config file.
<snip> # To cause every FTP user to be "jailed" (chrooted) into their home # directory, uncomment this line. DefaultRoot ~ <snip>
Of course, if that's done, the user won't be able to do much, as he won't be able to access any executables that aren't in that jail. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 11 May 2008 13:53:14 James Knott wrote:
<snip> # To cause every FTP user to be "jailed" (chrooted) into their home # directory, uncomment this line. DefaultRoot ~ <snip>
Of course, if that's done, the user won't be able to do much, as he won't be able to access any executables that aren't in that jail.
Accessing executables? Breaking out of chroot? What exactly do you and John do with your ftp servers? Breaking out of a chroot jail is fairly easy, yes, if you're root and have a shell prompt. It's not that easy (or indeed possible) through an ftp client. And I have never seen any need to access executables through an ftp client, unless I was trying to download them, in which case they should simply be copied to the ftp directory Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders Johansson wrote:
On Sunday 11 May 2008 13:53:14 James Knott wrote:
<snip> # To cause every FTP user to be "jailed" (chrooted) into their home # directory, uncomment this line. DefaultRoot ~ <snip>
Of course, if that's done, the user won't be able to do much, as he won't be able to access any executables that aren't in that jail.
Accessing executables? Breaking out of chroot?
What exactly do you and John do with your ftp servers?
Breaking out of a chroot jail is fairly easy, yes, if you're root and have a shell prompt. It's not that easy (or indeed possible) through an ftp client.
And I have never seen any need to access executables through an ftp client, unless I was trying to download them, in which case they should simply be copied to the ftp directory
Anders
Was ftp mentioned by the OP? I don't recall seeing it, but I don't have that message any more. This is why I was trying to clarify what, precisely he wanted to do. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 12 May 2008 03:44:40 James Knott wrote:
Anders Johansson wrote:
On Sunday 11 May 2008 13:53:14 James Knott wrote:
<snip> # To cause every FTP user to be "jailed" (chrooted) into their home # directory, uncomment this line. DefaultRoot ~ <snip>
Of course, if that's done, the user won't be able to do much, as he won't be able to access any executables that aren't in that jail.
Accessing executables? Breaking out of chroot?
What exactly do you and John do with your ftp servers?
Breaking out of a chroot jail is fairly easy, yes, if you're root and have a shell prompt. It's not that easy (or indeed possible) through an ftp client.
And I have never seen any need to access executables through an ftp client, unless I was trying to download them, in which case they should simply be copied to the ftp directory
Anders
Was ftp mentioned by the OP? I don't recall seeing it, but I don't have that message any more. This is why I was trying to clarify what, precisely he wanted to do.
The subject of the mail is a bit of a giveaway :) Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders Johansson wrote:
On Monday 12 May 2008 03:44:40 James Knott wrote:
Anders Johansson wrote:
On Sunday 11 May 2008 13:53:14 James Knott wrote:
<snip> # To cause every FTP user to be "jailed" (chrooted) into their home # directory, uncomment this line. DefaultRoot ~ <snip>
Of course, if that's done, the user won't be able to do much, as he won't be able to access any executables that aren't in that jail.
Accessing executables? Breaking out of chroot?
What exactly do you and John do with your ftp servers?
Breaking out of a chroot jail is fairly easy, yes, if you're root and have a shell prompt. It's not that easy (or indeed possible) through an ftp client.
And I have never seen any need to access executables through an ftp client, unless I was trying to download them, in which case they should simply be copied to the ftp directory
Anders
Was ftp mentioned by the OP? I don't recall seeing it, but I don't have that message any more. This is why I was trying to clarify what, precisely he wanted to do.
The subject of the mail is a bit of a giveaway :)
Anders
That subject is so long the end is not displayed in my email app, including the part about FTP. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders Johansson wrote:
On Sunday 11 May 2008 13:53:14 James Knott wrote:
<snip> # To cause every FTP user to be "jailed" (chrooted) into their home # directory, uncomment this line. DefaultRoot ~ <snip> Of course, if that's done, the user won't be able to do much, as he won't be able to access any executables that aren't in that jail.
Accessing executables? Breaking out of chroot?
What exactly do you and John do with your ftp servers?
Breaking out of a chroot jail is fairly easy, yes, if you're root and have a shell prompt. It's not that easy (or indeed possible) through an ftp client.
And I have never seen any need to access executables through an ftp client, unless I was trying to download them, in which case they should simply be copied to the ftp directory
If you're root and have a shell access you are the admin of the system and don't need any help to screw with the system. If I remember correctly, root login via ftp is disabled by default. That is a Good Thing considering that the root password would be submitted unencrypted. Under reasonable circumstances (user is not root, has no shell access, is limited to chroot directory, system is up-to-date) breaking out of an ftp chroot should be impossible. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2008-05-12 at 03:34 +0200, Anders Johansson wrote: ...
And I have never seen any need to access executables through an ftp client, unless I was trying to download them, in which case they should simply be copied to the ftp directory
Some ftp servers put some binaries in the served tree, like /bin/ls, because when the ftp client wants to do an ls, it really searches and executes, remotely, the /bin/ls program. This practice have been deprecated by other more secure servers, which use an internal "ls" program instead, and do not need nor use a server /bin tree. And not only ls. I think there even was a shell there - there is! just type "!" and you get a shell inside the ftp (local or remote I do not know; I think local). - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIKFTitTMYHG2NR9URAlpYAJoC5jCKSFZ05P01WmKKc/9DoRLCKQCfWohD 23c2HCsK02QZQsFu3TdHFnM= =0ul+ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
And I have never seen any need to access executables through an ftp client, unless I was trying to download them, in which case they should simply be copied to the ftp directory
Some ftp servers put some binaries in the served tree, like /bin/ls, because when the ftp client wants to do an ls, it really searches and executes, remotely, the /bin/ls program.
This practice have been deprecated by other more secure servers, which use an internal "ls" program instead, and do not need nor use a server /bin tree.
And not only ls.
I think there even was a shell there - there is! just type "!" and you get a shell inside the ftp (local or remote I do not know; I think local).
The FTP daemon chroots and drops root once the user has logged in. at that time, it no longer has access to the /bin/ls in the real root, so it needs one in the chroot jail to get directory listings. it executes it, sure, but not at any "please execute this" instruction from the client. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2008-05-13 at 08:12 +1200, Philip Dowie wrote:
Some ftp servers put some binaries in the served tree, like /bin/ls, because when the ftp client wants to do an ls, it really searches and executes, remotely, the /bin/ls program.
This practice have been deprecated by other more secure servers, which use an internal "ls" program instead, and do not need nor use a server /bin tree.
And not only ls.
I think there even was a shell there - there is! just type "!" and you get a shell inside the ftp (local or remote I do not know; I think local).
The FTP daemon chroots and drops root once the user has logged in. at that time, it no longer has access to the /bin/ls in the real root, so it needs one in the chroot jail to get directory listings. it executes it, sure, but not at any "please execute this" instruction from the client.
As I say, that's the old style. The vsftpd daemon doesn't do it: you can remove the /bin directory completely from the server path and it works fine. I don't even have that directory: nimrodel:~ # l /srv/ftp/ total 20 drwxr-xr-x 3 root root 4096 Sep 22 2007 ./ drwxr-xr-x 4 root root 4096 May 6 21:56 ../ -rw-r--r-- 1 root root 174 Feb 12 2006 hello -rw-r--r-- 1 root root 173 Feb 12 2006 hello~ drwxr-xr-x 4 root root 4096 Oct 21 2005 pub/ - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIKMFGtTMYHG2NR9URAoWOAJ9hDELn0xnkF7nwxYZ02533j0qsRwCcCHDm 77FbJtrKUBQ29muP1bjsgn0= =EuiD -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 12 May 2008 16:31:59 +0200, Carlos E. R. wrote:
I think there even was a shell there - there is! just type "!" and you get a shell inside the ftp (local or remote I do not know; I think local).
Yes, it is on the local machine, not the one running the ftpd. Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (8)
-
Anders Johansson
-
Carlos E. R.
-
James D. Parra
-
James Knott
-
Jim Henderson
-
John Andersen
-
Philip Dowie
-
Sandy Drobic