Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!simtel!news.kei.com!wang!uunet!in2.uu.net!salliemae!newsfeed.internetmci.com!in1.uu.net!news.cais.net!news.sci.dixie.edu!usenet
From: "Aaron D. Gifford" <agifford@infowest.com>
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: chroot() question--please help
Date: Fri, 17 Nov 1995 20:48:56 -0700
Organization: InfoWest
Lines: 84
Message-ID: <30AD57A8.20F9@infowest.com>
References: <48en1l$8k3@interport.net>
Reply-To: agifford@infowest.com
NNTP-Posting-Host: uv.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 2.0b2 (Macintosh; I; PPC)
CC: David Tay <davidtay@interport.net>
I have a few ftp-only users on another system running wuftpd. This is the setup
I've used. Someone let me know if I am missing something obvious.
* I added a "fake" entry to /etc/sheels called "/bin/null" because wuftpd
appears to refuse to let users in who don't have shells listed in
/etc/shells.
* I created a group called "ftponly" in /etc/group (I'll say GID 202 for this
example)
* Here's what the /etc/passwd entry looks like:
EXAMPLE:
joe:cYrPtEdPaSsWd:2053:202::0:0:Joe Chrooted:/home/ftponly/joe/./:/bin/null
(Actually, its what "vipw" or /etc/master.passwd might show, since there
are no crypted passwords in my /etc/passwd.)
* I created an FTP-only home directory for the user (Say /home/ftponly/joe
for this example), owned by the FTP-only user and of the "ftponly" group.
EXAMPLE:
# ls -l /home/ftponly
total 1
drwxr-xr-x 5 joe ftponly 512 Nov 17 20:03 joe
* I created two subdirectories in /home/ftponly/joe, "bin" and "etc" I kept
bin and etc owned by root/wheel and mode 0555.
EXAMPLE:
# ls -l /home/ftponly/joe
total 2
dr-xr-xr-x 2 root wheel 512 Nov 17 20:05 bin
dr-xr-xr-x 2 root wheel 512 Nov 17 20:05 etc
* I copied a staticly linked version of "ls" into /home/ftponly/joe/bin, owned
by root/wheel, mode 0555. I also created a /home/ftponly/joe/etc/group file
owned by root/wheel, mode 0444, that contained /etc/group entries for only
those groups that joe might encounter in his chrooted environment. In this
case, only the "wheel" and "ftponly" groups were present. This is what
/home/ftponly/joe/etc/group might look like:
EXAMPLE:
wheel:*:0:
ftponly:*:202:
* I then created a temporary file, /home/ftponly/joe/etc/passwd.tmp, and in
that file I put only two lines:
EXAMPLE:
root:*:0:0::0:0:System Administrator::
joe:*:2053:202::0:0:Joe Chrooted::
* Next, I CAREFULLY used the "pwd_mkdb" to create a pwd.db file in
/home/ftponly/joe/etc:
EXAMPLE:
# pwd_mkdb -d /home/ftponly/joe/etc /home/ftponly/joe/etc/passwd.tmp
# rm /home/ftponly/joe/etc/master.passwd /home/ftponly/joe/etc/spwd.db
# chmod 0444 /home/ftponly/joe/etc/pwd.db
# ls -l /home/ftponly/joe/etc
total 2
-r--r--r-- 1 root wheel 74 Nov 17 20:06 group
-r--r--r-- 1 root wheel 40960 Nov 17 20:10 pwd.db
The pwd_mkdb command renamed the passwd.tmp to master.passwd, and since
there was no reason for a master.passwd or spwd.db files in the chrooted
etc directory, that's why I removed them.
On the FreeBSD machine I used, the above pwd_mkdb worked, but on an older
BSD/OS 1.1 machine, I had to "cd" to the directory, then run pwd_mkdb
with the -d option but without the following directory paramater since
the BSDI 1.1 pwd_mkdb assumed the current working directory with the -d
option.
WARNING: pwd_mkdb option CAN BE DANGEROUS when running as root if you aren't
careful about including the -d option since it could trash your system's
/etc/master.passwd, /etc/pwd.db, and /etc/spwd.db files.
* I then edited wu-ftpd's config ftpaccess file, /etc/ftpaccess on the machine
I used. I added these four lines:
EXAMPLE:
# Joe Chrooted's FTP site:
upload /home/ftponly/joe * yes joe ftponly 644 dirs
upload /home/ftponly/joe /bin no
upload /home/ftponly/joe /etc no
* I then added a "guestgroup" line:
guestgroup ftponly
If a guestgroup line had already existed, I would only have needed to add
the "ftponly" group to the space-separated list of group names that wuftpd
treats as guests.
I think that's all I did. Perhaps it may help you. Did I miss anything?
Did I do anything obviously stupid?
--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--
Aaron D. Gifford InfoWest, 1845 W. Sunset Blvd, St. George, UT 84770
InfoWest Networking Phone: (801) 674-0165 FAX: (801) 673-9734
<agifford@infowest.com> Visit InfoWest at: "http://www.infowest.com/"
ICBM: 37.07847 N, 113.57858 W
"Southern Utah's Finest Network Connection"
--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--=+=--