Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Secure ftp access to outside chroot
Operating Systems Linux Debian Secure ftp access to outside chroot Post 302395509 by chipmunken on Wednesday 17th of February 2010 07:23:30 AM
Old 02-17-2010
Secure ftp access to outside chroot
I want to setup ftp on my home server running debian 5.0
I found this guide and have read it carefully.
Virtual Hosting With PureFTPd And MySQL (Incl. Quota And Bandwidth Management) On Debian Lenny | HowtoForge - Linux Howtos and Tutorials

Before I install/config it I want to know if its possible to.
Give my dad access to some files located under /mnt/lager/
Without giving him read or write access to the hole system.

If I jail system users to home directory's I cant symlink to /mnt/lager
Is there any way of doing this. I thought with virtual pureftp users this is configurable. I cant find anything in there about it.

Any tips or ideas before I start experimenting.

---------- Post updated at 10:46 ---------- Previous update was at 09:39 ----------

Think I found a solution.

I will post here if it works.

---------- Post updated 17th Feb 2010 at 07:23 ---------- Previous update was 16th Feb 2010 at 10:46 ----------

Well I solved my issue now.
I have jailed a pure ftp user to his home folder and I have mount bound a folder to his home folder and he only has read access there.


mount --bind /mnt/lager/stuff /home/fred/stuff

and under /mnt/lager/stuff the ftp user fred only has read privileges
 

9 More Discussions You Might Find Interesting

1. HP-UX

ftp to secure server

How to ftp file to secure server. Can somebody pls guide. (1 Reply)
Discussion started by: rkkiran
1 Replies

2. Solaris

Secure FTP Problem using Sun SSH on Client system F-Secure on Server system

I am using shell script to do secure ftp. I have done key file setup to do password less authentication. Following are the FTP Details: FTP Client has Sun SSH. FTP Server has F-Secure. I am using SCP Command to do secure copy files. When I am doing this, I am getting the foll error scp:... (2 Replies)
Discussion started by: ftpguy
2 Replies

3. Solaris

secure access using sudo

I just need to know what should be done on a login user so that no one can access it except through sudo i.e. telnet server login: user NO ACCESS telnet server login: mylogin sudo - user <any command> ACCESS GRANTED thanks (0 Replies)
Discussion started by: melanie_pfefer
0 Replies

4. UNIX for Advanced & Expert Users

Setup Secure FTP

Hi All, Please help me to setup the secure Ftp. I want to build a ftp which should ask the Login id and password, and one thing more a particular login should be enable to read/write only his/her directory i.e,s a user should not be able to open the other directories in the ftp.Please help me... (1 Reply)
Discussion started by: akhtar.bhat
1 Replies

5. AIX

How to secure ftp in AIX

Hi, the default ftp that comes with AIX5L is not secured as far as i know. How to install and use the secured FTP in AIX? Linux these days uses vsftpd daemon(very secured FTP daemon) is there VSFTPD for AIX? if there is any where can i download it from? thanks and regards Pchangba (1 Reply)
Discussion started by: pchangba
1 Replies

6. UNIX for Advanced & Expert Users

chroot openssh access www folder

here is the setup<br/> sshd_config: <pre> Match User sftp ChrootDirectory /chroot/sftp </pre> I connect just fine to the folder <pre>/chroot/sftp</pre> However I cannot access the website developer folder due to it being outside the scope of the defined chrootdirectory... (2 Replies)
Discussion started by: dunpealslyr
2 Replies

7. Cybersecurity

WebApp secure access to protected files/programs

Hello, I'm working on an embedded linux project that provides a devices that uses an IPSec VPN (using racoon) to connect back to base. The device also hosts a WebApp that allows admin users to change many aspect of the networking setup, including things like the VPN pre-shared-key, IP addresses... (1 Reply)
Discussion started by: salukibob
1 Replies

8. AIX

openssh chroot facility and directory access

Good day. I currently have a request to have sftp access to a specific directory for a user(s). They can have access to that folder only, and nothing below it. Now here is the gotcha that seems to be catching me. The folder they need access to is NOT owned by root, and most of the parent... (0 Replies)
Discussion started by: smurphy_it
0 Replies

9. Red Hat

Fedora-Kickstart, chroot cannot access to files been copied inside during %post -nochroot

Heyas I did try with several paths, and it ran several times, so i'm tired of rebuilt it (takes 30min and laptop is up to 90+C on cpu temp) just to see an empty skeleton dir. I once had the kickstart files in the root dir, but somehow the files retrieved from git, seem to be missing. Had... (2 Replies)
Discussion started by: sea
2 Replies

LEARN ABOUT DEBIAN

sbuild-setup

SBUILD-SETUP(7) 						   Debian sbuild						   SBUILD-SETUP(7)

NAME

       sbuild-setup - sbuild setup procedure

DESCRIPTION

       sbuild uses chroots to build packages within, to provide a minimal and consistent build environment.  This man page describes the procedure
       to create a chroot by hand using debootstrap.  These are only guidelines; depending upon the setup required, several of the  steps  may	be
       omitted entirely.

QUICK START

       Simply  running	sbuild-createchroot  will  perform  all  the setup steps described in detail below.  See the section "sbuild-createchroot"
       below, as well as sbuild-createchroot(1).

CHROOT SETUP

       This guide sets up a lenny chroot on a powerpc machine.	Adjust the names for other suites and architectures.

   1. Run debootstrap to create the chroot
       # mkdir -p /srv/chroot/lenny

       The author has each chroot as a separate LVM logical volume (LV).  Create and mount an LV here if required:

       # lvcreate -L 4G -n lenny_chroot -Z y volume-group

       Add to /etc/fstab and mount (see next section for full fstab example).  Finally, run debootstrap to create the chroot:

       # debootstrap --variant=buildd lenny /srv/chroot/lenny http://ftp.uk.debian.org/debian/

   2. Set up additional mounts
       An example /etc/fstab:

       /dev/volume-group/lenny_chroot 
		      /srv/chroot/lenny 	      ext3    defaults	 0   2
       /dev/pts       /srv/chroot/lenny/dev/pts       none    rw,bind	 0   0
       tmpfs	      /srv/chroot/lenny/dev/shm       tmpfs   defaults	 0   0
       proc	      /srv/chroot/lenny/proc	      proc    defaults	 0   0
       /dev/volume-group/home 
		      /srv/chroot/lenny/home	      ext3    quota	 0   0
       /tmp	      /srv/chroot/lenny/tmp	      none    rw,bind	 0   0
       /etc/passwd    /srv/chroot/lenny/etc/passwd    none    ro,bind	 0   0
       /etc/shadow    /srv/chroot/lenny/etc/shadow    none    ro,bind	 0   0
       /etc/group     /srv/chroot/lenny/etc/group     none    ro,bind	 0   0
       /etc/gshadow   /srv/chroot/lenny/etc/gshadow   none    ro,bind	 0   0
       /etc/resolv.conf 
		      /srv/chroot/lenny/etc/resolv.conf 
						      none    ro,bind	 0   0

       If the bind mountpoints don't exist in the chroot, touch them:

       # touch /srv/chroot/lenny/etc/resolv.conf

       Next, mount them all.

       Depending on your kernel version and security considerations, you may wish to do this part slightly differently.  With a Linux  kernel,	at
       least version 2.6 is required for bind mounts, and devpts (CONFIG_UNIX98_PTYS) for /dev/pts.  Other guides recommend copying the files, but
       this method keeps them up-to-date at no cost.

       If using sbuild with schroot, passwd, shadow, group, gshadow and resolv.conf can be updated automatically at the start of each build, so no
       action is required here.  schroot can also automatically mount all of the extra filesystems, so all the other mounts may be omitted.

       To  disable  networking,  don't	bind  mount  /etc/resolv.conf.	This will prevent APT from working inside the chroot, but prevents package
       building from having working network access (no nameservers).

   3. Edit sources.list
       Create or edit /srv/chroot/lenny/etc/apt/sources.list, and add all the APT sources required to obtain binary and source packages  for  your
       chosen distribution:

       deb http://security.debian.org/ lenny/updates main
       deb-src http://security.debian.org/ lenny/updates main

       deb http://ftp.uk.debian.org/debian/ lenny main
       deb-src http://ftp.uk.debian.org/debian/ lenny main

   4. Configure dchroot or schroot
       This is entirely optional, but will make the chroot environment easier to access and administer.

       For dchroot, add the following line to /etc/dchroot.conf:

       lenny /srv/chroot/lenny

       For schroot, add a group to /etc/schroot/schroot.conf (or a new file /etc/schroot/chroot.d/lenny), for example:

       [lenny]
       type=directory
       description=Debian lenny (stable)
       location=/srv/chroot/lenny
       priority=2
       groups=root,sbuild
       root-groups=sbuild
       aliases=stable
       run-setup-scripts=true
       run-session-scripts=true

       For sudo, add a symbolic link to the directory /etc/sbuild/chroot, for example:

       # mkdir -p /etc/sbuild/chroot
       # ln -s /srv/chroot/lenny /etc/sbuild/chroot/lenny

   5. Log into chroot
       # dchroot -c lenny

       or

       $ schroot -c lenny -u root

   6. Set up packages for sbuild
       While running as root inside the chroot:

       # apt-get update
       # apt-get dist-upgrade
       # apt-get install debconf
       # dpkg-reconfigure -plow debconf

       Answer the debconf questions as follows:

       interface
	      choose 6/Noninteractive

       priority
	      choose 1/Critical

       You  only  need to run dpkg-reconfigure if you weren't asked the questions during the debconf install.  Next, install the packages required
       for building packages:

       # apt-get install debfoster fakeroot build-essential
       # apt-get install makedev
       # cd /dev/
       # /sbin/MAKEDEV generic
       # touch /etc/mtab

       For some security, we don't bind mount /dev, so it can't access e.g. USB devices

   7. sbuild setup
       While running as root inside the chroot:

       # mkdir /build
       # chown root:sbuild /build
       # chmod 02775 /build
       # mkdir -p /var/lib/sbuild/srcdep-lock
       # chown -R root:sbuild /var/lib/sbuild
       # chmod -R 02775 /var/lib/sbuild

       Note that when using sbuild with schroot, this setup is done at the start of each build, so is not required here.

   8. Finished
       Congratulations!  You should now have a fully configured and operational chroot.

SBUILD-CREATECHROOT
       This script will automatically perform a number of the steps described above, including:

       o      Running debootstrap.

       o      Setting up APT sources in /etc/apt/sources.list.

       o      Setting up a minimal /etc/passwd

       o      Setting up /build and /var/lib/sbuild with appropriate ownership and permissions.

       After it has done this, you do still need to do some manual setup, completing the steps it missed out above, for example.

USER SETUP

   1. Group membership
       As root, run:

       # sbuild-adduser user

       Alternatively, add the user to the sbuild group by hand:

       # adduser user sbuild

   2. ~/.sbuildrc
       Configure the user's ~/.sbuildrc:

       $ cp /usr/share/doc/sbuild/examples/example.sbuildrc ~user/.sbuildrc

       Edit to set the correct mail address to send log files to, and the correct maintainer name and/or uploader name.

   3. Build directories
       Create directories to contain packages and log files.  (.sbuildrc may have configured different locations; the default build  directory	is
       the current directory, and the default $log_dir is ~/logs):

       $ mkdir ~/logs

   4. sudo setup
       This  step  not	required  if schroot is used (which is the default, set in sbuild.conf).  If using sbuild with sudo (chroot_mode "split"),
       sudo needs configuring to give the user permission to install and remove packages in the chroot, which requires root privileges.   Add  the
       following lines to /etc/sudoers:

       username  ALL=NOPASSWD: ALL
       Defaults:username env_keep+="APT_CONFIG DEBIAN_FRONTEND SHELL"

       where username is the name of the user who will run sbuild.

   5. Finished
       The user should now be able to run sbuild.

       $ sbuild ...

AUTHORS

       Roger Leigh.

COPYRIGHT

       Copyright (C) 2005-2008	Roger Leigh <rleigh@debian.org>

       This  program  is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by
       the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

SEE ALSO

       debootstrap(1), sbuild(1), sbuild-adduser(1), sbuild-createchroot(1).

Version 0.63.2							    18 Aug 2012 						   SBUILD-SETUP(7)
All times are GMT -4. The time now is 07:14 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy