Date: Tue, 27 Nov 2001 02:56:08 -0500 From: "Mit Rowe" <mitayai@dreamlabs.com> To: "FreeBSD-Stable" <freebsd-stable@freebsd.org> Cc: "Chat@Gtabug. Org" <chat@gtabug.org> Subject: ftpd, login.access and ftp-chroot Message-ID: <DBEMKGPNFGOGJHLMDNDJGEKJECAA.mitayai@dreamlabs.com>
next in thread | raw e-mail | index | archive | help
Hi, folks... I'm having some problems that i'm hoping someone here could
help me with...
Environment:
-Production machine, heavy use
-FreeBSD 4.4-STABLE (fairly recent, <1week old
-Stock ftpd as shipped in inetd.conf as ftpd -l -l
I'm trying to set the chroot()'ing of FTP users without using
/etc/ftpchroot. "Why?" is a complicated reason, so the short answer is
basically "Because the man page seems to say that i can." ;-)
(If you want the long answer, feel free to ask)
The ftpd man page indicates that if i set the boolean 'ftp-chroot' in
/etc/login.conf then i should be able to accomplish a ftp chroot() for users
in theclass in which this is defined.
So, i edited the login.conf template from /usr/src/etc to insert this.
*** /usr/src/etc/login.conf Sat Oct 20 17:35:56 2001
--- /etc/login.conf Tue Nov 27 02:00:49 2001
***************
*** 46,51 ****
--- 46,54 ----
#
standard:\
:tc=default:
+ web:\
+ :ftp-chroot=yes:\
+ :tc=default:
xuser:\
:tc=default:
staff:\
i then ran:
cap_mkdb /etc/login.conf
and then used chfn to set the "test" account's class to 'web'
I ftp in as the test account, and i change to the root with "cd /" and "ls"
and, at this point i should only see the files in the test account's home
directory.
Problem is, the directory listing is the server's root.
I've run the experiment through a few times, with the same results, so i
figure either:
a) i'm missing something, am mis-reading something, or just haven't had
enough sleep yet. (Quite possible),
b) there is a bug somewhere,
c) i'm reading deprecated / mis-documented man pages
d) the existence of my existing /etc/ftpchroot file is complicating things.
(This is not a sterile lab environment, and i don't have access to one right
this moment). The standard way of chroot()'ing ftp logins is with the
/etc/ftpchroot file, and During the course of this experiment, this file
does exist on the server. It has one line "@clients" which chroot(0's ftp
logins of everyone in that group, and is functioning as expected. I realize
that to do this experiemnt properly i should try both with and without this
file, but it's a production machine i'm playing with here and i'll have to
wait a few hours before attempting that, else all hell will break loose ;-)
Any insight or testi in another environment would be appreciated...
Cheers,
Mit
___________________________________________________________
Mit Rowe
(Will Mitayai Keeso Rowe)
Internet Services
DreamLabs/Branch Media Inc. ph: 416.323.0840 ext. 262
260 Richmond St. East Suite 200 fax: 416.323.0894
Toronto, Ontario M5A 1P4 icq: 7161728
Canada
mit@dreamlabs.com / mit@branchmedia.com
___________________________________________________________
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DBEMKGPNFGOGJHLMDNDJGEKJECAA.mitayai>