Anyone point me to a good doc on how to set up ftp daemon in a chrooted environment.
sorry, no docs, but i'm using a chrooted pureftpd (www.purefptd.org) along side a chrooted apache webserver (publishing users web sites) but is should work with the majority of ftp servers. just create a chroot-directory containing all libs and other necessary files used by your server (ldd the executable) and run /usr/bin/chroot /chrootdir /path/to/ftpserver
Hm, pureftpd is fine, but vsftpd is much more easy to setup. Benefits: chrooted environment users can have their own chroot jail for their home-directory fast bandwithmanipulation small no known vulnerabilities Howto: change to an install directory or your homedirectory wget ftp://vsftpd.beasts.org/users/cevans/vsftpd-1.1.3.tar.gz tar xvfz vsftpd-1.1.3.tar.gz cd vsftpd-1.1.3 edit "builddefs.h" with your favourite editor (if needed) make make install edit /etc/vsftpd.conf add following line to /etc/inetd.conf (for xinetd look at the example in EXAMPLE/INTERNET_SITE dir): ftp stream tcp nowait root /usr/sbin/tcpd /usr/local/sbin/vsftpd if you use pam for authentification copy the pam config for ftp (example in RedHat dir) cp RedHat/vsftpd.pam /etc/pam.d/ftp type rcinetd restart (rcxinetd restart) to activate ftp
alongside you chrooted server you should try the grsecurity kernel patch (www.grsecurity.org) to enforce your chroot a bit more. the problem, at least with pureftp, is that you might double chroot but that's up to you.
Or you use kernel-capabilities to steal root's rights on files or whatever to secure things a littlebit more. Philippe