From owner-freebsd-stable Mon Nov 26 23:59:51 2001 Delivered-To: freebsd-stable@freebsd.org Received: from tenchi.dreamlabs.com (tenchi.dreamlabs.com [216.220.37.61]) by hub.freebsd.org (Postfix) with ESMTP id 2EB0837B422 for ; Mon, 26 Nov 2001 23:59:44 -0800 (PST) Received: (from root@localhost) by tenchi.dreamlabs.com (8.11.6/8.11.6) id fAR7xcs21313; Tue, 27 Nov 2001 02:59:38 -0500 (EST) (envelope-from mitayai@dreamlabs.com) Received: from cr411661a (CPE0010a4b02b1b.cpe.net.cable.rogers.com [24.43.111.216]) (authenticated) by tenchi.dreamlabs.com (8.11.6/8.11.6av) with ESMTP id fAR7xZj21303; Tue, 27 Nov 2001 02:59:35 -0500 (EST) (envelope-from mitayai@dreamlabs.com) Reply-To: From: "Mit Rowe" To: "FreeBSD-Stable" Cc: "Chat@Gtabug. Org" Subject: ftpd, login.access and ftp-chroot Date: Tue, 27 Nov 2001 02:56:08 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, folks... I'm having some problems that i'm hoping someone here could help me with... Environment: -Production machine, heavy use -FreeBSD 4.4-STABLE (fairly recent, <1week old -Stock ftpd as shipped in inetd.conf as ftpd -l -l I'm trying to set the chroot()'ing of FTP users without using /etc/ftpchroot. "Why?" is a complicated reason, so the short answer is basically "Because the man page seems to say that i can." ;-) (If you want the long answer, feel free to ask) The ftpd man page indicates that if i set the boolean 'ftp-chroot' in /etc/login.conf then i should be able to accomplish a ftp chroot() for users in theclass in which this is defined. So, i edited the login.conf template from /usr/src/etc to insert this. *** /usr/src/etc/login.conf Sat Oct 20 17:35:56 2001 --- /etc/login.conf Tue Nov 27 02:00:49 2001 *************** *** 46,51 **** --- 46,54 ---- # standard:\ :tc=default: + web:\ + :ftp-chroot=yes:\ + :tc=default: xuser:\ :tc=default: staff:\ i then ran: cap_mkdb /etc/login.conf and then used chfn to set the "test" account's class to 'web' I ftp in as the test account, and i change to the root with "cd /" and "ls" and, at this point i should only see the files in the test account's home directory. Problem is, the directory listing is the server's root. I've run the experiment through a few times, with the same results, so i figure either: a) i'm missing something, am mis-reading something, or just haven't had enough sleep yet. (Quite possible), b) there is a bug somewhere, c) i'm reading deprecated / mis-documented man pages d) the existence of my existing /etc/ftpchroot file is complicating things. (This is not a sterile lab environment, and i don't have access to one right this moment). The standard way of chroot()'ing ftp logins is with the /etc/ftpchroot file, and During the course of this experiment, this file does exist on the server. It has one line "@clients" which chroot(0's ftp logins of everyone in that group, and is functioning as expected. I realize that to do this experiemnt properly i should try both with and without this file, but it's a production machine i'm playing with here and i'll have to wait a few hours before attempting that, else all hell will break loose ;-) Any insight or testi in another environment would be appreciated... Cheers, Mit ___________________________________________________________ Mit Rowe (Will Mitayai Keeso Rowe) Internet Services DreamLabs/Branch Media Inc. ph: 416.323.0840 ext. 262 260 Richmond St. East Suite 200 fax: 416.323.0894 Toronto, Ontario M5A 1P4 icq: 7161728 Canada mit@dreamlabs.com / mit@branchmedia.com ___________________________________________________________ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message