05-09-2001
got it....
Okay got it working at last, let me tell you what I have had to do, so, as you say we can all benefit...
Firstly I modified /etc/passwd and /etc/group to read:
user:x:500:500::/home/./user/:/etc/ftponly
root::0:root
user::500:user
You have to ensure that /etc/ftponly is in the list contained in the file /etc/shells. Then I created etc, bin and lib directories under /home - the location of these are vital, as I will show soon. In /home/etc I created a passwd file with the entry in /etc/passwd above as well as one for root thus:
root:x:0:0::/etc/ftponly
I also created a group file in /home/etc with the entries in /etc/group listed above. You only want these entries in these files, not the complete corresponding files as chrooted users will be able to see these.
Then I copied /bin/ls into /home/ls. Then I added two entries into /etc/ftpaccess:
class all guest *
guestgroup user
Class creates a class for the guest ftp, * means that connections from anywhere are allows as this class. Guestgroup indicates that the ftp login for users in group user will be guest ftp logins, which is needed for chrooting the account. Simple so far.
This is the bit that got me - I managed to log into the jail, and stay stuck in there, but could not see anything. I figured it was ls not working properly, so this is where the /home/lib directory comes into play. In here you need to replicate the state of the libraries and links in /lib that are used by ls.
So I used ldd /bin/ls to check things out. You need the following in /home/lib:
ld-2.1.94.so
libc-2.1.94.so
libtermcap.so.2.0.8
Then create soft links to these from the following, in respective order:
ld-linux.so.2
libc.so.6
libtermcap.so.2
What I discovered, after pulling my hair out many times, is exactly what mib said, this directory and bin needs to be in the directory you set to chroot to, NOT in the directory you set to subsequently chdir to. This is the mistake I made, so if it /etc/passwd the entry was:
user:x:500:500::/home/./user/:/etc/ftponly
~etc, ~bin and ~lib should be under /home not /home/user. Once this is all in place you have a fully functional chrooted guest ftp account.
One thing to bear in mind is this: this is obviously not a complete jail, as the chroot is done on /home so, that is effectively / which means the user can still get out into /home and possibly move into other people's directories. You can operate the chroot on /home/user but this would mean the ~etc, ~bin and ~lib directories in EACH users chroot environment - this is 5 megs in total (99% people the libraries) if you have say 100 customers on a machine, that 500 megs of disk space in just setting up the restricted ftp access, thats a lot of space, relatively speaking. So you can just chroot on /home and then you only need one set of those directories, and take chmod out of the priviledges for guest ftp accounts in /etc/ftpaccess. That should stop anyone chmoding someone elses files then deleting them. Obviously this need more consideration and is site dependent.
Hoped this helped someone!
Regards
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
I need to create a user that only has access to 1 directory (e.g. /vol/mita/test). The user needs to be able to rsh into that directory to run a script. The user should not be able to navigate to any other directories above /vol/mita/test. Any help would be appreciated! (4 Replies)
Discussion started by: ngagne
4 Replies
2. UNIX for Dummies Questions & Answers
I have a need to allow only certain IP addresses to access a machine running solaris 9. I am not sure how this can be accomplished.
Thanks in advance for your help.
Patch (2 Replies)
Discussion started by: patch
2 Replies
3. Solaris
Hi All,
I'm on Solaris 8, I need to provide Read-only access to a user to 2 directories only.
Using rsh (restricted shell) as the user's login shell, I can restrict the user's access to a certain directory only, but how can I set in such a way that the user can access only the 2 directories... (4 Replies)
Discussion started by: max_min
4 Replies
4. UNIX for Advanced & Expert Users
I'm the admin in a shop in which my developers have and use the root account, all UNIX newbies.
I've been unable to convince management myself that this is an unacceptable practice.
I've looked in a couple books I have and can't find any chapters, discussions, etc that make the argument that... (2 Replies)
Discussion started by: keith.m
2 Replies
5. Solaris
We want to secure access to a server by restricting the number of users who can login to it. Our users are NIS users. Only few of them can telnet/ssh this server.
Do you have any idea on how to implement that?
thanks. (1 Reply)
Discussion started by: melanie_pfefer
1 Replies
6. UNIX for Advanced & Expert Users
Hi All,
I am facing a problem, regarding code security on a server.
We have configured a server which contains our code (ear present in jboss/server/xyz/deploy) in it, and need to bind the code to the server itself so that no one can take the code out of the. the problem is that the password of... (3 Replies)
Discussion started by: akshay61286
3 Replies
7. Solaris
Dear All,
I have created a user called "x" who is allowed only to FTP and it is working fine. Here my problem is, I want to give access to a particular directory say for eg:- /dump/test directory. I don't find any option in the useradd command to restrict access to this particular directory only... (1 Reply)
Discussion started by: Vijayakumarpc
1 Replies
8. Solaris
Hi all.
I've had a quick look around but cant see anything exactly matching my requirements.
I have a new T2000 running S10. Im looking to restrict the no. cores that a S10 non-global zone can use to 1 only. The box is single CPU but 8core.
I want to do this to save on some software... (4 Replies)
Discussion started by: boneyard
4 Replies
9. UNIX for Dummies Questions & Answers
Hello,
I am using MySecureShell to chroot all sftp accesses. The problem that I have is that my boss does not want root to be able to use sftp. Root should still be able to ssh. Any ideas? (2 Replies)
Discussion started by: mojoman
2 Replies
10. Solaris
Dear all,
I am administering a DC environment of over 100+ Solaris servers used by various teams including Databases.
Every user created on the node belonging to databases is assigned group staff(10) .
I want that all users belonging to staff should NOT be able to execute certain system... (6 Replies)
Discussion started by: Junaid Subhani
6 Replies
LEARN ABOUT HPUX
hosts.equiv
hosts.equiv(4) Kernel Interfaces Manual hosts.equiv(4)
NAME
hosts.equiv, .rhosts - security files authorizing access by remote hosts and users on local host
DESCRIPTION
The file and files named found in users' home directories specify remote hosts and users that are "equivalent" to the local host or user.
Users from equivalent remote hosts are permitted to access a local account using or or to to the local account without supplying a password
(see rcp(1), remsh(1), and rlogin(1)). The security provided by is implemented by the library routine, (see rcmd(3N)).
In this description, hostequiv means either the system file or the user file. Note that must be owned either by the root or by the user in
whose home directory it is found and it must not be a symbolic link. The file defines system-wide equivalency, whereas a user's file
defines equivalency between the local user and any remote users to whom the local user chooses to allow or deny access.
An entry in the hostequiv file is a single line (no continuations) in the format:
Thus, it can be:
o A blank line.
o A comment line, beginning with a
o A host name, optionally followed by a comment.
o A host name and user name, optionally followed by a comment.
A host or user name is a string of printable characters, excluding whitespace, newlines, and
Names are separated by whitespace.
For a user to be granted access, both the remote host name and the user name must "match" an entry in hostequiv. When a request is made
for access, the file is searched first. If a match is found, access is permitted. If no match is found, the file is searched, if one
exists in the local user's home directory. If the local user is a superuser, is ignored.
A host name or user name must match the corresponding field entry in hostequiv in one of the following ways:
Literal match A host name in hostequiv can literally match the official host name (not an alias) of the remote host.
A user name in hostequiv can literally match the remote user name. For a user name to have literal match
in the file, the remote user name must literally match the local user name.
Domain-extended match The remote host name to be compared with entries in hostequiv is typically the official host name returned
by (see gethostent(3N)). In a domain-naming environment, this is a domain-qualified name. If a host name
in hostequiv does not literally match the remote host name, the host name in hostequiv with the local
domain name appended may match the remote host name.
If the host name in hostequiv is of this form, and if name literally matches the remote host name or if name with the local
domain name appended matches the remote host name, access is denied regardless of the user name.
If the user name in hostequiv is of this form, and name literally matches the remote user name, access is
denied.
Even if access is denied in this way by access can still be allowed by
Any remote host name matches the host name
in hostequiv.
Any remote user matches the user name
netgroup_name is the name of a network group as defined in netgroup(4). If the host name in hostequiv is of this form,
the remote host name (only) must match the specified network group according to the rules defined in net-
group(4) in order for the host name to match.
Similarly, if the user name in hostequiv is of this form, the remote user name (only) must match the speci-
fied network group in order for the user name to match.
netgroup_name is the name of a network group as defined in netgroup(4). If the host name in hostequiv is of this form,
and if the remote host name (only) matches the specified network group according to the rules defined in
netgroup(4), access is denied.
Similarly, if the user name in hostequiv is of this form, and if the remote user name (only) matches the
specified network group, access is denied.
Even if access is denied in this way by access can still be allowed by
EXAMPLES
1. on contains the line:
and on is empty. User on can use to or to account on without being prompted for a password. will, however, be prompted for a pass-
word with or denied access with from to
If in the home directory of user on contains:
or
then user can access from
2. is in the domain and are in the domain in the home directory of user on contains:
User can access from since matches with local domain appended. But user from cannot access since does not match In order for user
to be able to access from file on must contain:
since is in a different domain.
3. in the home directory of user on contains:
on contains the line:
However, there is no file in the home directory of user on The user on can to account on without being prompted for a password, but
on cannot to account on
4. in the home directory of user on contains:
User from any host is allowed to access account on User from any host except can access account on
5. on contains the lines:
Any user from except is allowed to access an account on with the same user name. However, if in the home directory of user on con-
tains:
then user from can access account on
6. on contains the line:
The network group consists of:
If is not running Network Information Service (NIS), user on any host can access account on
If is running Network Information Service (NIS), and is in the domain user on any host, whether in or not, can access account on
However, if in the home directory of user on contains the line:
and is either not running Network Information Service (NIS) or is in domain no user on any host can access the account on If is run-
ning Network Information Service (NIS) but is not in the domain this line has no effect.
7. on contains the line:
The network group consists of:
All users on are denied access to
However, if in the home directory of a user on contains any of the following lines:
then user on can access that account on
WARNINGS
For security purposes, the files and should exist and be readable and writable only by the owner, even if they are empty.
Care must be exercised when creating the
The option to and prevents any authentication based on files for users other than a superuser.
AUTHOR
was developed by the University of California, Berkeley.
The and extensions were developed by Sun Microsystems, Inc.
FILES
SEE ALSO
rcp(1), rdist(1), remsh(1), rlogin(1), remshd(1M), rlogind(1M), gethostent(3N), rcmd(3N), netgroup(4).
hosts.equiv(4)