From: Rob Hill (robhill at domain indigo.ie)
Date: Mon 23 Aug 1999 - 16:21:28 IST
Paul Jakma wrote:
>
> (thomas: still love to know how you do that individual chroot thing on your
> ftp server) :)
here's how I do it anyway......i don't know where i got this doc tho...
rob..
<start>
From: Michael Brennen <mbrennen at domain fni.com>
Subject: wu-ftpd guest accounts
There are three kinds of FTP logins that wu-ftpd provides:
1: anonymous FTP
2: real FTP
3: guest FTP
Anonymous FTP is well known; one logs in with the username 'anonymous'
and an email type password.
Real FTP is when someone logs in with a real username and password and
has access to the entire disk structure. This form of access can be
extremely dangerous to system security and should be avoided unless
absolutely necessary and well controlled.
Guest FTP is a form of real FTP; one logs in with a real user name and
password, but the user is chroot'ed to his home directory and cannot
escape from it. This is much safer, and it is a useful way for remote
clients to maintain their Web accounts.
If you want to learn more about 'chroot', the following two commands
should help, as should any good Unix text.
man chroot
There may be different man pages in sections 1, 2 and 8 (or others,
perhaps) depending on your operating system. ('man # chroot')
This howto will describe in detail the steps necessary to set up a
guest FTP account. It does not describe anonymous or real FTP setup,
though the procedures for setting up an operational 'ls' command will
apply equally to anonymous FTP because of the chroot'ed nature of
anonymous FTP.
***********************************************************************
The working example here will be as if it were a directory under a Web
tree, /home/web. The Web account will be maintained remotely by FTP.
The remote user is Mortimer. Mortimer's account name is "mort", group
"client".
(Yes, there is some droll humor here for the French speakers...)
1. Create Mort's entry in /etc/passwd and /etc/group. Do so manually,
or use adduser or whatever your Unix supports. If you use adduser,
you will probably have to make manual modifications to get the /./
information in the home path.
There are also entries to make in /etc/ftpaccess.
/etc/passwd:
mort:*:403:400:Mortimer Snerd:/home/web/mort/./:/etc/ftponly
^^^
The /./ sequence determines where the chroot() is done to. If you
want the chroot() done to the web directory and a chdir() to mort,
it would look like this:
mort:*:403:400:Mortimer Snerd:/home/web/./mort/:/etc/ftponly
^^^
--------> (make sure "/etc/ftponly" is in /etc/shells.)
/etc/group:
client::400:mort
Set Mort's password as you wish, or better yet use S/KEY.
If you are using the Beta version of ftpd (HIGHLY RECOMMENDED) that
Stan Barber has put together, you must do one of two thing to properly
use /etc/ftpaccess:
1) compile the source to use /etc/ftpaccess by default (comes turned off);
hack the source to set use_accessfile = 1;
OR
2) run the daemon with the -a option.
/etc/ftpaccess:
class local real,guest,anonymous ......
... ^^^^^
... +----------- define 'guest' in the proper classes;
... this is site dependent.
...
...
delete no anonymous,guest # delete permission?
overwrite no anonymous,guest # overwrite permission?
rename no anonymous,guest # rename permission?
chmod no anonymous,guest # chmod permission?
umask no anonymous,guest # umask permission?
... ^^^^^
... +------ decide if guest should be in this
... permission list; this is site dependent.
...
...
path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
...
guestgroup client
...
2. Create Mort's home directory and set its ownership and protections.
mkdir /home/web/mort
chown mort.client /home/web/mort
chmod 755 /home/web/mort
3. Build the directory structure under Mort's account.
Create the /etc, /lib, and any other directory you need
in the directory that the chroot() is done into.
cd /home/web/mort
mkdir etc bin [dev lib] (dev and lib are optional and are OS dependent.)
chown root.daemon etc bin
chmod 111 etc bin
4. Build the contents of the ~/bin directory.
NOTE WELL: if you cannot see the directory contents after you login
as the guest user, the 'ls' program that you installed is not working.
If you use an 'ls' linked for dynamic libraries, and you do not have
the required libraries and/or devices installed properly in the guest
tree, 'ls' will not work and you will not see the contents of the
guest directory.
This is the single most FAQ on the wu-ftpd list. Repeating: if you
cannot see the contents of the directory, your installed 'ls' is not
working. The proper installation procedures for 'ls' vary by operating
system. There are some OS specific notes at the bottom of this howto
that may be of help.
USE STATIC LINKED COPIES OF ALL UTILITIES IF POSSIBLE.
You may get the source to build your own static 'ls' by downloading the
GNU fileutils source package from <ftp://ftp.gnu.org/pub/gnu/>.
cp /.../bin/ls bin
chown root.bin bin/ls
chmod 111 bin/ls
Optional for on the fly compression and tar:
cp /.../bin/gzip bin
cp /.../bin/tar bin
chown root.bin bin/gzip
chown root.bin bin/tar
chmod 111 bin/gzip
chmod 111 bin/tar
If the utilities are not static, create the necessary devices in ~/dev and
copy the necessary libraries into ~/lib. Check the man page for ftpd that
comes with your system; it may be of help.
REGARDING HARD AND SOFT/SYMBOLIC LINKS:
The chroot() obviates the use of soft links in this case. However, it
it is possible to make these hard links back to the master copy of the
utilities rather than copies. This can save some disk space if that is
a concern.
5. Build the contents of the ~/etc directory.
Edit "passwd" to contain the following:
root:*:0:0::/:/etc/ftponly
mort:*:403:400::/home/web/mort/./:/etc/ftponly
Edit "group" to contain the following:
root::0:root
client::400:mort
chown root.daemon passwd group
chmod 444 passwd group
6. Add some extra security touches
cd /home/web/mort
touch .rhosts .forward
chown root.root .rhosts .forward
chmod 400 .rhosts .forward
You should now be the proud owner of a working guest group FTP login.
Connect to the machine via FTP and login as "mort". You should end up in
Mort's account with a current directory of "/".
If not, go over it carefully again, as there is a lot of detail here. If
you still can't get it to work, yell for help on wu-ftpd at domain wugate.wustl.edu.
**************************************************************************
OS DEPENDENCIES / QUIRKS
LINUX:
Linux does not need a ~/dev dir. It does need the ~/lib dir if the
utilities in ~/bin are dynamically linked.
Use the 'ldd' command to find out what libraries are necessary for a given
dynamically linked utility.
SOLARIS:
Solaris can't handle SETPROCTITLE, so turn the compile time option off.
(The following was culled from a post by Tom Leach to the wu-ftpd list.)
>For people who are having problems with ls -al and dir on solaris 2.x
>systems, you might try the following to find out what's missing...
>truss -f chroot ~ftp /bin/ls
>This will run the ls command in the same chroot'd environment that
>anonymous FTP runs in. The truss will show you what
>files/libraries/devices are accessed and where the ls is looking for them.
>Tom Leach
>leach at domain oce.orst.edu
SOLARIS 2.6:
Contents of ~ftp/usr/lib
Solaris expects to find the libraries in ~ftp/usr/lib , not in ~ftp/lib
Copy the following libraries out of /usr/lib into ~ftp/usr/lib
Also, I'm not sure that intl and w are necessary.
ld.so
ld.so.1
libc.so.1
libdl.so.1
libintl.so (can be a symlink to libintl.so.1)
libintl.so.1
libw.so.1
Contents of ~ftp/dev:
Create "zero" and "tcp" entries. Check your existing /dev/zero and
/dev/tcp to make sure that these major and minor numbers are correct
for your system, then use "mknod" to create the device files in ~ftp/dev
mknod zero c 11 42
mknod tcp c 13 12
The above notes are gratefully acknowledged from
Gregor Mosheh <gregor at domain novoironlight.com>
SUN 4.1.x:
Create a ~dev/zero and ~dev/tcp device for the FTP directory as follows.
Run the following 'ls' command, then create the devices in the ~/dev
directory with the 'mknod' command, using the major and minor numbers
from the 'ls' results (thanks to Jim Davis <jdavis at domain cs.arizona.edu>).
ls -lL /dev/zero /dev/tcp
cd dev
mknod zero c <major> <minor>
mknod tcp c <major> <minor>
cd ..
chmod 555 dev
You may also wish to use the following method to create the device,
per Ian Willis <ianw.sco.com>; repeat this command for each device
(zero, tcp, etc.).
find /dev/zero -print | cpio -pd ~ftp
Also, you probably need the following shared libraries:
~lib/ld.so
~lib/libc.so
~lib/libdl.so
BSDI:
Set 555 protections on the ~ftp/shlib and its contents if shared
libraries are used.
From Darci Chapman (dchapmax at domain preview.jf.intel.com):
The following directories and files need to be created in whatever
directory/ies are being chrooted to (~ftp for anon ftp or for whatever
directory guest users are chrooted):
dr-xr-xr-x root/wheel 0 Nov 3 01:43 1995 bin/
-r-xr-xr-x root/wheel 12288 Nov 3 01:43 1995 bin/compress
-r-xr-xr-x root/wheel 45056 Nov 3 01:43 1995 bin/gzip
-r-xr-xr-x root/wheel 12288 Nov 3 01:43 1995 bin/ls
-r-xr-xr-x root/wheel 65536 Nov 3 01:43 1995 bin/pax
dr-xr-xr-x root/wheel 0 Nov 3 01:43 1995 etc/
-r--r--r-- root/wheel 793 Nov 3 01:43 1995 etc/group
-r--r--r-- root/wheel 817 Nov 3 01:43 1995 etc/localtime
-r--r--r-- root/wheel 40960 Nov 3 01:43 1995 etc/pwd.db
dr-xr-xr-x root/wheel 0 Feb 3 12:34 1995 pub/
dr-xr-xr-x root/wheel 0 Nov 3 01:43 1995 shlib/
-r-xr-xr-x root/wheel 298407 Nov 3 01:43 1995 shlib/libc_s.2.0
IRIX (5.3, 6.x)
from frans stekelenburg <gjs at domain knmi.nl>:
(as in SUN 4.1.x, but without /dev/tcp)
Create a ~dev/zero device for the FTP directory as follows. (tip:
search on 'dev/zero' in your IRIX systems' Online Books.)
Run the following 'ls' command, then create the devices in the ~/dev
directory with the 'mknod' command, using the major and minor numbers
from the 'ls' results (thanks to Jim Davis <jdavis at domain cs.arizona.edu>).
ls -lL /dev/zero
cd dev
mknod zero c <major> <minor>
cd ..
chmod 555 dev
You may also wish to use the following method to create the device,
per Ian Willis <ianw.sco.com>; repeat this command for each device
(zero, tcp, etc.).
find /dev/zero -print | cpio -pd ~ftp
Also, you probably need the following shared libraries:
~lib/rld
~lib/libc.so.1
(found in /lib)
Also read the manpages on FTPD, or look in the IRIX Insight Library
(Online Books) in the book/chapter "IRIX Admin: Networking and Mail"
for the paragraph 'How to Set Up a Proper Anonymous FTP Account'
(search helps:-)) on your IRIX system.
AIX:
Per Chuque Berry <chuque at domain ns2.tiba.net> and Joseph Matusiewicz
<Joseph.Matusiewicz at domain noaa.gov>, AIX needs the following files for
the external ls to work:
~lib/libc.a
~lib/libcurses.a (???)
SCO: (thanks to Brett Kropf <brett at domain kropf.com>)
For the ls command to work with Guest Accounts on SCO Open Server 5.0.4,
Technical Article http://www.sco.com/cgi-bin/ssl_reference?109467
states that the following files are required:
~/lib/libprot.so.1
~/usr/lib/libc.so.1
~/usr/lib/libsocket.so.1
**************************************************************************
For extra tips on security see Christopher Klaus's FAQ:
http://www.iss.net/iss/faq.html
**************************************************************************
If you run across some special trick required to get guest access to run
on your OS, or some security cleanup, please let me know and I will update
the master of this document.
Don't contact me individually for help. Go through the wu-ftpd list for
that and I will see the post there.
Michael Brennen
mbrennen at domain fni.com
<fin>
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:04:29 GMT