Re: [TCLUG:15166] ftp and chroot problem

[Ben Beuchler <insyte@emt-p.org>]

On Sat, Mar 25, 2000 at 10:03:38PM -0600, Jon V. Reuter wrote:

> I'm trying to allow some limited ftp access to a few users
> and restrict them to their home directory (i.e. chroot).

Good idea.
 
> Currently (without modifying the /etc/ftpaccess file) the users
> can view and download across the entire system.  When I put them
> into group "users" and add a "guestgroup users" to /etc/ftpaccess,
> it does the chroot to their home directory but it does not return
> any listing of the directory (although you can cd, put & get as
> long as you know the directory and file names).

You've essentially got two options:

Set up a ~/bin, ~/lib, and ~/etc in each person's chroot-ed home directory
with permissions set to (I think) 111 and ownership to "root:daemon".  The
bin directory will need to contain at a minimum 'ls' plus any other
executables you want them to have access to (tar, etc.).  The lib will
need whatever libs are required by whatever files you stuck in 'bin'.  The
necessary libs can be found by executing "ldd <file>".  For example, on my
RH 6.1 box:

[insyte@marvin insyte]$  ldd /bin/ls
        libc.so.6 => /lib/libc.so.6 (0x4000a000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)

This would mean I would need copies of /lib/libc.so.6 and
/lib/ld-linux.so.2 in the /lib directory of my chrooted ftp directory.

There is some documentation on this whole deal on the wuftpd website.

The other (better) option is to just install BeroFTPd.  It fixes many
of the security vulnerabilities in wuftpd and, more relevant to this
discussion, builds in it's own 'ls' command thus eliminating the need for
the /bin and /lib directories.

Good luck...

Ben

-- 
"There is no spoon"
	-- The Matrix