1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
|
<!--startcut ======================================================= -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html><head>
<META NAME="generator" CONTENT="lgazmail v1.1pre9c">
<TITLE>The Answer Guy 32:
WU-FTP guestgroup problems
</TITLE>
<!-- ORIGINAL SUBJECT:
wu-ftpd guest account on a Linux Box
JTD SUBTITLE:
-->
</head>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#A000A0"
ALINK="#FF0000">
<H4>"Linux Gazette...<I>making Linux just a little more fun!</I>"
</H4>
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<H1 align="center"><A NAME="answer">
<img src="../gx/dennis/qbubble.gif" alt="" border="0" align="middle">
<a href="./lg_toc32.html">The Answer Guy</a>
<img src="../gx/dennis/bbubble.gif" alt="" border="0" align="middle">
</A></H1>
<BR>
<H4 align="center">By James T. Dennis,
<a href="mailto:answerguy@ssc.com">answerguy@ssc.com</a>
<BR>Starshine Technical Services, <A HREF="http://www.starshine.org/">http://www.starshine.org/</A>
</H4>
<p><hr><p>
<!--endcut ========================================================= -->
<H3><img src="../gx/dennis/qbub.gif" alt="(?)"width="50" height="28"
align="left" border="0">WU-FTP guestgroup problems</H3>
<p><strong>From Marco Iannacone on the
<a href="news:comp.unix.questions">comp.unix.questions</a> newsgroup
on 9 Jun 1997 </strong></p>
<!-- begin body -->
<blockquote>It looks like I never answered this question.
(I'm going through my old archives).
</blockquote>
<strong><p>Hi James,
how you doing?
</p></strong>
<strong><p>I'm writing to you as <EM>The Answer Guy</EM> 'cause I have
some problem with setting up the guest trick with wu-ftpd.
What I mean is to have a chrooted enviroment for some special user
with their home directory and user-id and password.
</p></strong>
<strong><p>I'm using <A HREF="http://www.slackware.org/">Slackware</A>
'96 Linux with the wu-archive-ftp that comes already compiled with it.
</p></strong>
<strong><p>This is what I did:
</p></strong>
<strong>
<ul>
<LI>I compiled gnu ls statically and put it in ~ftp/user-foo/bin
directory.
<LI>I did the <TT>/etc</TT> hack:
<ul>
<li>added the guest group in<TT>/etc/group</TT>
<li>modify the<TT>/etc/passwd</TT> file for the user I want to be
chrooted giving him <TT>/home/ftp/user-foo./</TT> directory
</ul>
</UL>
</strong>
<BLOCKQUOTE><IMG SRC="../gx/dennis/bbub.gif" ALT="(!)" width="50" height="28"
border="0" �lign="bottom">I think this is supposed to be</blockquote>
<code><blockquote><blockquote>/home/ftp/./user-foo
</blockquote></blockquote></code>
<blockquote>... if you want the guestgroup directive in
wu-ftpd's ftpaccess file to chroot to <TT>/home/ftp</TT> and
initially place this user in the<TT>/home/ftp/user-foo</TT>
directory.
</blockquote>
<STRONG><P><IMG SRC="../gx/dennis/qbub.gif" ALT="(?)" width="50" height="28" border="0" �lign="bottom"
>I don't recall whether the "ftponly" (or whatever you
call your "guestgroup" group) has to be that user's
<EM>primary</EM> group (the one listed in <TT>/etc/passwd</TT>) or whether
it can be one of the supplemental groups (as listed in <TT>/etc/group</TT>)
</p></strong>
<strong><UL>
<ul>
<LI>added <TT>/etc/ftponly</TT> to <TT>/etc/shells</TT>
<LI>I modify the <TT>/etc/ftpaccess</TT> file adding
<code>...
<BR>path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
<BR>....
<BR>guestgroup guest
</code>
</ul>
<LI>I created the user home directory which has the following
attribute:
<pre>[root]:/home/ftp>ls -la
total 104
dr-xr-xr-x 9 root root 512 Jun 2 14:01 .
drwxrwxr-x 6 user-foo guest 512 Jun 3 13:54 user-foo
dr-xr-xr-x 2 root root 512 Jun 3 09:45 bin
</pre>
</UL>
</strong>
<strong><p>Now the ftp server is running fine (both with normal and anonymous
users) and even the chrooted enviroment for guest is working fine:
the user can login, upload and download files and it is locked in
that directory... i.e. can go in all the subdirectory but can't go
up. So it is perfect!
</p></strong>
<strong><p>The only problem is that <TT>ls</TT> and <TT>dir</TT> are not
working and he can only list files using <TT>nlist</TT>.
</p></strong>
<strong><p>For example:
</p></strong>
<strong><pre>Name (localhost:root): user-foo
331 Password required for user-foo.
Password:
230 User amex logged in. Access restrictions apply.
ftp> nlist
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
bin
.profile
etc
.rhosts
.forward
.sh_history
test-directory
test-file.txt
226 Transfer complete.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
226 Transfer complete.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
226 Transfer complete.
ftp>quit
</pre></strong>
<strong><p>What am I missing? how can I allow him to do ls and dir?
Note: i'm sure that the new ls is working:
</p></strong>
<strong><pre>[root@Goliath /home/ftp/user-foo//bin]#./ls
compress cpio gzip ls sh tar
[root@Goliath /home/ftp/user-foo/bin]#
</pre></strong>
<strong><p>
and that is statically linked:
</p></strong>
<strong><pre>[root@Goliath /home/ftp/user-foo/bin]#ldd ./ls
Statically linked (ELF)
[root@Goliath /home/ftp/user-foo/bin]#
</pre></strong>
<p><strong>Thanks a lot,
Marco
</strong></p>
<BLOCKQUOTE><IMG SRC="../gx/dennis/bbub.gif" ALT="(!)" width="50" height="28" border="0" �lign="bottom"
>Everything else sounds right to me.
</blockquote>
<BLOCKQUOTE>Naturally I hope you've long since solved this problem.
I just hate to leave a question unanswered.
</blockquote>
<BLOCKQUOTE>Incidentally, you might look at <TT>ncftpd</TT> (a newer
FTP daemon from Mike Gleason, author of the popular <TT>ncftp</TT> client).
<TT>ncftpd</TT> allegedly offers better options for locking users into their
home directories and it contains built-in support for '<TT>ls</TT>' and
similar commands.</blockquote>
<BLOCKQUOTE><TT>ncftpd</TT> is shareware, rather than freeware, and
Mike wants $40 (US) for small servers (50 concurrent
sessions or less) and about $200 for larger servers.
</blockquote>
<blockquote>However you can evaluate the whole package for free.
Start by taking a look at:
</blockquote>
<code><blockquote><blockquote><A HREF="http://www.probe.net/~mgleason/ncftpd/"
>http://www.probe.net/~mgleason/ncftpd/</A>
</blockquote></blockquote></code>
<blockquote>... or at:
</blockquote>
<code><blockquote><blockquote
><A HREF="http://www.ncftp.com/">http://www.ncftp.com/</A>
</blockquote></blockquote></code>
<blockquote>... and reading about the features list.
</blockquote>
<blockquote>Naturally this hasn't been around as long as
<TT>wu-ftpd</TT>, and the sources don't seem to be openly
available. So <TT>ncftpd</TT> doesn't benefit from the
informal process of code review that we take for
granted for most Linux networking packages.
</blockquote>
<blockquote>(This informal process of auditing does not seem
to have been terribly effective, however, since we
still find new security problems in code that's been
free for decades. For this reason there are have a
couple of more organized and formal efforts ---
the <a href="http://www.openbsd.org/">OpenBSD</a> project and
the Linux Security Audit
<A HREF="http://www.att.net">http://www.att.net/~Bandit2006/</A>
to name the two with which I'm familiar).
</blockquote>
<!-- end body -->
<!--startcut ======================================================= -->
<P> <hr> <P>
<H5 align="center"><a href="http://www.linuxgazette.com/ssc.copying.html"
>Copyright ©</a> 1998, James T. Dennis <BR>
Published in <I>Linux Gazette</I> Issue 32 September 1998</H5>
<P> <hr> <P>
<!--::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::-->
<table width="98%"><tr valign="center" align="center">
<td rowspan="3"><A HREF="../lg_answer32.html"><IMG
SRC="../gx/dennis/answernew.gif"
ALT="[ Answer Guy Index ]"></A></td>
<td><A HREF="tag_phreak.html">phreak</A>
<td><A HREF="tag_abandon.html">abandon</A>
<td><A HREF="tag_javaterm.html">javaterm</A>
<td><A HREF="tag_BBS.html">BBS</A>
<td><A HREF="tag_flaws.html">flaws</A>
<td><A HREF="tag_doslinux.html">doslinux</A>
<td><A HREF="tag_resume.html">resume</A>
</tr><tr valign="center" align="center">
<td><A HREF="tag_softwindows.html">softwindows</A>
<td><A HREF="tag_convert.html">convert</A>
<td><A HREF="tag_apache.html">apache</A>
<td><A HREF="tag_emulate.html">emulate</A>
<td><A HREF="tag_database.html">database</A>
<td><A HREF="tag_distrib.html">distrib</A>
<td><A HREF="tag_proxy.html">proxy</A>
</tr><tr valign="center" align="center">
<td><A HREF="tag_disable.html">disable</A>
<td><A HREF="tag_DVI.html">DVI</A>
<td><A HREF="tag_superblock.html">superblock</A>
<td><A HREF="tag_serial.html">serial</A>
<td><A HREF="tag_permission.html">permission</A>
<td><A HREF="tag_detach.html">detach</A>
<td><A HREF="tag_cdr.html">cdr</A>
</tr><tr valign="center" align="center">
<td><A HREF="tag_rs422.html">rs422</A>
<td><A HREF="tag_modem.html">modem</A>
<td><A HREF="tag_notfound.html">notfound</A>
<td><A HREF="tag_tuning.html">tuning</A>
<td><A HREF="tag_libc5.html">libc5</A>
<td><A HREF="tag_startup.html">startup</A>
<td><A HREF="tag_clock.html">clock</A>
<td><A HREF="tag_ping.html">ping</A>
</tr><tr valign="center" align="center">
<td><A HREF="tag_accounts.html">accounts</A>
<td><A HREF="tag_lilo.html">lilo</A>
<td><A HREF="tag_NDS.html">NDS</A>
<td><A HREF="tag_95slow.html">95slow</A>
<td><A HREF="tag_nonlinux.html">nonlinux</A>
<td><A HREF="tag_progenv.html">progenv</A>
<td><A HREF="tag_cluster.html">cluster</A>
<td><A HREF="tag_ftpd.html">ftpd</A>
</tr></table>
<P> <hr> <P>
<!--::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::-->
<A HREF="./lg_toc32.html"><IMG SRC="../gx/indexnew.gif"
ALT="[ Table Of Contents ]"></A>
<A HREF="../index.html"><IMG SRC="../gx/homenew.gif"
ALT="[ Front Page ]"></A>
<A HREF="lg_bytes32.html"><IMG SRC="../gx/back2.gif"
ALT="[ Previous Section ]"></A>
<A HREF="./stemen.html"><IMG SRC="../gx/fwd.gif"
ALT="[ Next Section ]"></A>
<!--::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::-->
</body>
</html>
<!--endcut ========================================================= -->
|
