05-09-2001
got it....
Okay got it working at last, let me tell you what I have had to do, so, as you say we can all benefit...
Firstly I modified /etc/passwd and /etc/group to read:
user:x:500:500::/home/./user/:/etc/ftponly
root::0:root
user::500:user
You have to ensure that /etc/ftponly is in the list contained in the file /etc/shells. Then I created etc, bin and lib directories under /home - the location of these are vital, as I will show soon. In /home/etc I created a passwd file with the entry in /etc/passwd above as well as one for root thus:
root:x:0:0::/etc/ftponly
I also created a group file in /home/etc with the entries in /etc/group listed above. You only want these entries in these files, not the complete corresponding files as chrooted users will be able to see these.
Then I copied /bin/ls into /home/ls. Then I added two entries into /etc/ftpaccess:
class all guest *
guestgroup user
Class creates a class for the guest ftp, * means that connections from anywhere are allows as this class. Guestgroup indicates that the ftp login for users in group user will be guest ftp logins, which is needed for chrooting the account. Simple so far.
This is the bit that got me - I managed to log into the jail, and stay stuck in there, but could not see anything. I figured it was ls not working properly, so this is where the /home/lib directory comes into play. In here you need to replicate the state of the libraries and links in /lib that are used by ls.
So I used ldd /bin/ls to check things out. You need the following in /home/lib:
ld-2.1.94.so
libc-2.1.94.so
libtermcap.so.2.0.8
Then create soft links to these from the following, in respective order:
ld-linux.so.2
libc.so.6
libtermcap.so.2
What I discovered, after pulling my hair out many times, is exactly what mib said, this directory and bin needs to be in the directory you set to chroot to, NOT in the directory you set to subsequently chdir to. This is the mistake I made, so if it /etc/passwd the entry was:
user:x:500:500::/home/./user/:/etc/ftponly
~etc, ~bin and ~lib should be under /home not /home/user. Once this is all in place you have a fully functional chrooted guest ftp account.
One thing to bear in mind is this: this is obviously not a complete jail, as the chroot is done on /home so, that is effectively / which means the user can still get out into /home and possibly move into other people's directories. You can operate the chroot on /home/user but this would mean the ~etc, ~bin and ~lib directories in EACH users chroot environment - this is 5 megs in total (99% people the libraries) if you have say 100 customers on a machine, that 500 megs of disk space in just setting up the restricted ftp access, thats a lot of space, relatively speaking. So you can just chroot on /home and then you only need one set of those directories, and take chmod out of the priviledges for guest ftp accounts in /etc/ftpaccess. That should stop anyone chmoding someone elses files then deleting them. Obviously this need more consideration and is site dependent.
Hoped this helped someone!
Regards
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
I need to create a user that only has access to 1 directory (e.g. /vol/mita/test). The user needs to be able to rsh into that directory to run a script. The user should not be able to navigate to any other directories above /vol/mita/test. Any help would be appreciated! (4 Replies)
Discussion started by: ngagne
4 Replies
2. UNIX for Dummies Questions & Answers
I have a need to allow only certain IP addresses to access a machine running solaris 9. I am not sure how this can be accomplished.
Thanks in advance for your help.
Patch (2 Replies)
Discussion started by: patch
2 Replies
3. Solaris
Hi All,
I'm on Solaris 8, I need to provide Read-only access to a user to 2 directories only.
Using rsh (restricted shell) as the user's login shell, I can restrict the user's access to a certain directory only, but how can I set in such a way that the user can access only the 2 directories... (4 Replies)
Discussion started by: max_min
4 Replies
4. UNIX for Advanced & Expert Users
I'm the admin in a shop in which my developers have and use the root account, all UNIX newbies.
I've been unable to convince management myself that this is an unacceptable practice.
I've looked in a couple books I have and can't find any chapters, discussions, etc that make the argument that... (2 Replies)
Discussion started by: keith.m
2 Replies
5. Solaris
We want to secure access to a server by restricting the number of users who can login to it. Our users are NIS users. Only few of them can telnet/ssh this server.
Do you have any idea on how to implement that?
thanks. (1 Reply)
Discussion started by: melanie_pfefer
1 Replies
6. UNIX for Advanced & Expert Users
Hi All,
I am facing a problem, regarding code security on a server.
We have configured a server which contains our code (ear present in jboss/server/xyz/deploy) in it, and need to bind the code to the server itself so that no one can take the code out of the. the problem is that the password of... (3 Replies)
Discussion started by: akshay61286
3 Replies
7. Solaris
Dear All,
I have created a user called "x" who is allowed only to FTP and it is working fine. Here my problem is, I want to give access to a particular directory say for eg:- /dump/test directory. I don't find any option in the useradd command to restrict access to this particular directory only... (1 Reply)
Discussion started by: Vijayakumarpc
1 Replies
8. Solaris
Hi all.
I've had a quick look around but cant see anything exactly matching my requirements.
I have a new T2000 running S10. Im looking to restrict the no. cores that a S10 non-global zone can use to 1 only. The box is single CPU but 8core.
I want to do this to save on some software... (4 Replies)
Discussion started by: boneyard
4 Replies
9. UNIX for Dummies Questions & Answers
Hello,
I am using MySecureShell to chroot all sftp accesses. The problem that I have is that my boss does not want root to be able to use sftp. Root should still be able to ssh. Any ideas? (2 Replies)
Discussion started by: mojoman
2 Replies
10. Solaris
Dear all,
I am administering a DC environment of over 100+ Solaris servers used by various teams including Databases.
Every user created on the node belonging to databases is assigned group staff(10) .
I want that all users belonging to staff should NOT be able to execute certain system... (6 Replies)
Discussion started by: Junaid Subhani
6 Replies
LEARN ABOUT OPENDARWIN
chgrp
CHGRP(1) BSD General Commands Manual CHGRP(1)
NAME
chgrp -- change group
SYNOPSIS
chgrp [-fhv] [-R [-H | -L | -P]] group file ...
DESCRIPTION
The chgrp utility sets the group ID of the file named by each file operand to the group ID specified by the group operand.
The following options are available:
-H If the -R option is specified, symbolic links on the command line are followed. (Symbolic links encountered in the tree traversal
are not followed).
-L If the -R option is specified, all symbolic links are followed.
-P If the -R option is specified, no symbolic links are followed. This is the default.
-R Change the group ID for the file hierarchies rooted in the files instead of just the files themselves.
-f The force option ignores errors, except for usage errors and doesn't query about strange modes (unless the user does not have proper
permissions).
-h If the file is a symbolic link, the group ID of the link itself is changed rather than the file that is pointed to.
-v Cause chgrp to be verbose, showing files as the group is modified.
The -H, -L and -P options are ignored unless the -R option is specified. In addition, these options override each other and the command's
actions are determined by the last one specified.
The group operand can be either a group name from the group database, or a numeric group ID. If a group name is also a numeric group ID, the
operand is used as a group name.
The user invoking chgrp must belong to the specified group and be the owner of the file, or be the super-user.
DIAGNOSTICS
The chgrp utility exits 0 on success, and >0 if an error occurs.
COMPATIBILITY
In previous versions of this system, symbolic links did not have groups.
The -v option is non-standard and its use in scripts is not recommended.
FILES
/etc/group group ID file
SEE ALSO
chown(2), fts(3), group(5), passwd(5), symlink(7), chown(8)
STANDARDS
The chgrp utility is expected to be IEEE Std 1003.2 (``POSIX.2'') compatible.
BSD
March 31, 1994 BSD