Cybersecurity

Okay got it working at last, let me tell you what I have had to do, so, as you say we can all benefit...

Firstly I modified /etc/passwd and /etc/group to read:

user:x:500:500::/home/./user/:/etc/ftponly

root::0:root
user::500:user

You have to ensure that /etc/ftponly is in the list contained in the file /etc/shells. Then I created etc, bin and lib directories under /home - the location of these are vital, as I will show soon. In /home/etc I created a passwd file with the entry in /etc/passwd above as well as one for root thus:

root:x:0:0::/etc/ftponly

I also created a group file in /home/etc with the entries in /etc/group listed above. You only want these entries in these files, not the complete corresponding files as chrooted users will be able to see these.

Then I copied /bin/ls into /home/ls. Then I added two entries into /etc/ftpaccess:

class all guest *
guestgroup user

Class creates a class for the guest ftp, * means that connections from anywhere are allows as this class. Guestgroup indicates that the ftp login for users in group user will be guest ftp logins, which is needed for chrooting the account. Simple so far.

This is the bit that got me - I managed to log into the jail, and stay stuck in there, but could not see anything. I figured it was ls not working properly, so this is where the /home/lib directory comes into play. In here you need to replicate the state of the libraries and links in /lib that are used by ls.

So I used ldd /bin/ls to check things out. You need the following in /home/lib:

ld-2.1.94.so
libc-2.1.94.so
libtermcap.so.2.0.8

Then create soft links to these from the following, in respective order:

ld-linux.so.2
libc.so.6
libtermcap.so.2

What I discovered, after pulling my hair out many times, is exactly what mib said, this directory and bin needs to be in the directory you set to chroot to, NOT in the directory you set to subsequently chdir to. This is the mistake I made, so if it /etc/passwd the entry was:

user:x:500:500::/home/./user/:/etc/ftponly

~etc, ~bin and ~lib should be under /home not /home/user. Once this is all in place you have a fully functional chrooted guest ftp account.

One thing to bear in mind is this: this is obviously not a complete jail, as the chroot is done on /home so, that is effectively / which means the user can still get out into /home and possibly move into other people's directories. You can operate the chroot on /home/user but this would mean the ~etc, ~bin and ~lib directories in EACH users chroot environment - this is 5 megs in total (99% people the libraries) if you have say 100 customers on a machine, that 500 megs of disk space in just setting up the restricted ftp access, thats a lot of space, relatively speaking. So you can just chroot on /home and then you only need one set of those directories, and take chmod out of the priviledges for guest ftp accounts in /etc/ftpaccess. That should stop anyone chmoding someone elses files then deleting them. Obviously this need more consideration and is site dependent.

Hoped this helped someone!

Regards

Sorry...that should be /home/bin/ls of course!

Thanks so much for sharing your success and providing a thread we can reference when this comes up again (and again)!

The trouble with rbash and many other restricted shells is that they are easy to 'break out of' by exec'ing another shell. The chroot method has 'a chance to work'.

BTW: If you do what you just described for individual users (and individual logins) vs. a guest login, then (obviously) you could be more restrictive I think there is a way to do this that is not too labor intensive, BTW.

[Edited by Neo on 05-09-2001 at 07:17 PM]