328 lines
10 KiB
HTML
328 lines
10 KiB
HTML
|
<!--startcut ======================================================= -->
|
|||
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|||
|
<html><head>
|
|||
|
<META NAME="generator" CONTENT="lgazmail v1.1pre9c">
|
|||
|
<TITLE>The Answer Guy 32:
|
|||
|
WU-FTP guestgroup problems
|
|||
|
</TITLE>
|
|||
|
<!-- ORIGINAL SUBJECT:
|
|||
|
wu-ftpd guest account on a Linux Box
|
|||
|
JTD SUBTITLE:
|
|||
|
|
|||
|
-->
|
|||
|
</head>
|
|||
|
|
|||
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#A000A0"
|
|||
|
ALINK="#FF0000">
|
|||
|
<H4>"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
|||
|
</H4>
|
|||
|
<P> <hr> <P>
|
|||
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|||
|
<H1 align="center"><A NAME="answer">
|
|||
|
<img src="../gx/dennis/qbubble.gif" alt="" border="0" align="middle">
|
|||
|
<a href="./index.html">The Answer Guy</a>
|
|||
|
<img src="../gx/dennis/bbubble.gif" alt="" border="0" align="middle">
|
|||
|
</A></H1>
|
|||
|
<BR>
|
|||
|
<H4 align="center">By James T. Dennis,
|
|||
|
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a>
|
|||
|
<BR>Starshine Technical Services, <A HREF="http://www.starshine.org/">http://www.starshine.org/</A>
|
|||
|
</H4>
|
|||
|
<p><hr><p>
|
|||
|
<!--endcut ========================================================= -->
|
|||
|
<H3><img src="../gx/dennis/qbub.gif" alt="(?)"width="50" height="28"
|
|||
|
align="left" border="0">WU-FTP guestgroup problems</H3>
|
|||
|
|
|||
|
<p><strong>From Marco Iannacone on the
|
|||
|
<a href="news:comp.unix.questions">comp.unix.questions</a> newsgroup
|
|||
|
on 9 Jun 1997 </strong></p>
|
|||
|
|
|||
|
<!-- begin body -->
|
|||
|
|
|||
|
<blockquote>It looks like I never answered this question.
|
|||
|
(I'm going through my old archives).
|
|||
|
</blockquote>
|
|||
|
|
|||
|
<strong><p>Hi James,
|
|||
|
how you doing?
|
|||
|
</p></strong>
|
|||
|
|
|||
|
<strong><p>I'm writing to you as <EM>The Answer Guy</EM> 'cause I have
|
|||
|
some problem with setting up the guest trick with wu-ftpd.
|
|||
|
What I mean is to have a chrooted enviroment for some special user
|
|||
|
with their home directory and user-id and password.
|
|||
|
</p></strong>
|
|||
|
|
|||
|
<strong><p>I'm using <A HREF="http://www.slackware.org/">Slackware</A>
|
|||
|
'96 Linux with the wu-archive-ftp that comes already compiled with it.
|
|||
|
</p></strong>
|
|||
|
|
|||
|
<strong><p>This is what I did:
|
|||
|
</p></strong>
|
|||
|
|
|||
|
<strong>
|
|||
|
<ul>
|
|||
|
<LI>I compiled gnu ls statically and put it in ~ftp/user-foo/bin
|
|||
|
directory.
|
|||
|
<LI>I did the <TT>/etc</TT> hack:
|
|||
|
<ul>
|
|||
|
<li>added the guest group in<TT>/etc/group</TT>
|
|||
|
<li>modify the<TT>/etc/passwd</TT> file for the user I want to be
|
|||
|
chrooted giving him <TT>/home/ftp/user-foo./</TT> directory
|
|||
|
</ul>
|
|||
|
</UL>
|
|||
|
</strong>
|
|||
|
|
|||
|
<BLOCKQUOTE><IMG SRC="../gx/dennis/bbub.gif" ALT="(!)" width="50" height="28"
|
|||
|
border="0" lign="bottom">I think this is supposed to be</blockquote>
|
|||
|
|
|||
|
|
|||
|
<code><blockquote><blockquote>/home/ftp/./user-foo
|
|||
|
</blockquote></blockquote></code>
|
|||
|
|
|||
|
<blockquote>... if you want the guestgroup directive in
|
|||
|
wu-ftpd's ftpaccess file to chroot to <TT>/home/ftp</TT> and
|
|||
|
initially place this user in the<TT>/home/ftp/user-foo</TT>
|
|||
|
directory.
|
|||
|
</blockquote>
|
|||
|
|
|||
|
|
|||
|
<STRONG><P><IMG SRC="../gx/dennis/qbub.gif" ALT="(?)" width="50" height="28" border="0" lign="bottom"
|
|||
|
>I don't recall whether the "ftponly" (or whatever you
|
|||
|
call your "guestgroup" group) has to be that user's
|
|||
|
<EM>primary</EM> group (the one listed in <TT>/etc/passwd</TT>) or whether
|
|||
|
it can be one of the supplemental groups (as listed in <TT>/etc/group</TT>)
|
|||
|
</p></strong>
|
|||
|
|
|||
|
<strong><UL>
|
|||
|
<ul>
|
|||
|
<LI>added <TT>/etc/ftponly</TT> to <TT>/etc/shells</TT>
|
|||
|
<LI>I modify the <TT>/etc/ftpaccess</TT> file adding
|
|||
|
<code>...
|
|||
|
<BR>path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
|
|||
|
<BR>....
|
|||
|
<BR>guestgroup guest
|
|||
|
</code>
|
|||
|
</ul>
|
|||
|
|
|||
|
|
|||
|
<LI>I created the user home directory which has the following
|
|||
|
attribute:
|
|||
|
|
|||
|
<pre>[root]:/home/ftp>ls -la
|
|||
|
total 104
|
|||
|
dr-xr-xr-x 9 root root 512 Jun 2 14:01 .
|
|||
|
drwxrwxr-x 6 user-foo guest 512 Jun 3 13:54 user-foo
|
|||
|
dr-xr-xr-x 2 root root 512 Jun 3 09:45 bin
|
|||
|
</pre>
|
|||
|
</UL>
|
|||
|
</strong>
|
|||
|
|
|||
|
<strong><p>Now the ftp server is running fine (both with normal and anonymous
|
|||
|
users) and even the chrooted enviroment for guest is working fine:
|
|||
|
the user can login, upload and download files and it is locked in
|
|||
|
that directory... i.e. can go in all the subdirectory but can't go
|
|||
|
up. So it is perfect!
|
|||
|
</p></strong>
|
|||
|
|
|||
|
<strong><p>The only problem is that <TT>ls</TT> and <TT>dir</TT> are not
|
|||
|
working and he can only list files using <TT>nlist</TT>.
|
|||
|
</p></strong>
|
|||
|
|
|||
|
<strong><p>For example:
|
|||
|
</p></strong>
|
|||
|
|
|||
|
<strong><pre>Name (localhost:root): user-foo
|
|||
|
331 Password required for user-foo.
|
|||
|
Password:
|
|||
|
230 User amex logged in. Access restrictions apply.
|
|||
|
ftp> nlist
|
|||
|
200 PORT command successful.
|
|||
|
150 Opening ASCII mode data connection for file list.
|
|||
|
bin
|
|||
|
.profile
|
|||
|
etc
|
|||
|
.rhosts
|
|||
|
.forward
|
|||
|
.sh_history
|
|||
|
test-directory
|
|||
|
test-file.txt
|
|||
|
226 Transfer complete.
|
|||
|
ftp> dir
|
|||
|
200 PORT command successful.
|
|||
|
150 Opening ASCII mode data connection for '/bin/ls'.
|
|||
|
226 Transfer complete.
|
|||
|
ftp> ls
|
|||
|
200 PORT command successful.
|
|||
|
150 Opening ASCII mode data connection for '/bin/ls'.
|
|||
|
226 Transfer complete.
|
|||
|
ftp>quit
|
|||
|
</pre></strong>
|
|||
|
|
|||
|
<strong><p>What am I missing? how can I allow him to do ls and dir?
|
|||
|
Note: i'm sure that the new ls is working:
|
|||
|
</p></strong>
|
|||
|
|
|||
|
<strong><pre>[root@Goliath /home/ftp/user-foo//bin]#./ls
|
|||
|
compress cpio gzip ls sh tar
|
|||
|
[root@Goliath /home/ftp/user-foo/bin]#
|
|||
|
</pre></strong>
|
|||
|
|
|||
|
<strong><p>
|
|||
|
and that is statically linked:
|
|||
|
</p></strong>
|
|||
|
|
|||
|
|
|||
|
<strong><pre>[root@Goliath /home/ftp/user-foo/bin]#ldd ./ls
|
|||
|
|
|||
|
Statically linked (ELF)
|
|||
|
|
|||
|
[root@Goliath /home/ftp/user-foo/bin]#
|
|||
|
</pre></strong>
|
|||
|
|
|||
|
|
|||
|
<p><strong>Thanks a lot,
|
|||
|
Marco
|
|||
|
</strong></p>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<BLOCKQUOTE><IMG SRC="../gx/dennis/bbub.gif" ALT="(!)" width="50" height="28" border="0" lign="bottom"
|
|||
|
>Everything else sounds right to me.
|
|||
|
</blockquote>
|
|||
|
|
|||
|
|
|||
|
<BLOCKQUOTE>Naturally I hope you've long since solved this problem.
|
|||
|
I just hate to leave a question unanswered.
|
|||
|
</blockquote>
|
|||
|
|
|||
|
|
|||
|
<BLOCKQUOTE>Incidentally, you might look at <TT>ncftpd</TT> (a newer
|
|||
|
FTP daemon from Mike Gleason, author of the popular <TT>ncftp</TT> client).
|
|||
|
<TT>ncftpd</TT> allegedly offers better options for locking users into their
|
|||
|
home directories and it contains built-in support for '<TT>ls</TT>' and
|
|||
|
similar commands.</blockquote>
|
|||
|
|
|||
|
|
|||
|
<BLOCKQUOTE><TT>ncftpd</TT> is shareware, rather than freeware, and
|
|||
|
Mike wants $40 (US) for small servers (50 concurrent
|
|||
|
sessions or less) and about $200 for larger servers.
|
|||
|
</blockquote>
|
|||
|
|
|||
|
<blockquote>However you can evaluate the whole package for free.
|
|||
|
Start by taking a look at:
|
|||
|
</blockquote>
|
|||
|
|
|||
|
|
|||
|
<code><blockquote><blockquote><A HREF="http://www.probe.net/~mgleason/ncftpd/"
|
|||
|
>http://www.probe.net/~mgleason/ncftpd/</A>
|
|||
|
</blockquote></blockquote></code>
|
|||
|
|
|||
|
|
|||
|
<blockquote>... or at:
|
|||
|
</blockquote>
|
|||
|
|
|||
|
|
|||
|
<code><blockquote><blockquote
|
|||
|
><A HREF="http://www.ncftp.com/">http://www.ncftp.com/</A>
|
|||
|
</blockquote></blockquote></code>
|
|||
|
|
|||
|
|
|||
|
<blockquote>... and reading about the features list.
|
|||
|
</blockquote>
|
|||
|
|
|||
|
<blockquote>Naturally this hasn't been around as long as
|
|||
|
<TT>wu-ftpd</TT>, and the sources don't seem to be openly
|
|||
|
available. So <TT>ncftpd</TT> doesn't benefit from the
|
|||
|
informal process of code review that we take for
|
|||
|
granted for most Linux networking packages.
|
|||
|
</blockquote>
|
|||
|
|
|||
|
<blockquote>(This informal process of auditing does not seem
|
|||
|
to have been terribly effective, however, since we
|
|||
|
still find new security problems in code that's been
|
|||
|
free for decades. For this reason there are have a
|
|||
|
couple of more organized and formal efforts ---
|
|||
|
the <a href="http://www.openbsd.org/">OpenBSD</a> project and
|
|||
|
the Linux Security Audit
|
|||
|
<A HREF="http://www.att.net">http://www.att.net/~Bandit2006/</A>
|
|||
|
to name the two with which I'm familiar).
|
|||
|
</blockquote>
|
|||
|
<!-- end body -->
|
|||
|
|
|||
|
<!--startcut ======================================================= -->
|
|||
|
<P> <hr> <P>
|
|||
|
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
|
|||
|
>Copyright ©</a> 1998, James T. Dennis <BR>
|
|||
|
Published in <I>Linux Gazette</I> Issue 32 September 1998</H5>
|
|||
|
<P> <hr> <P>
|
|||
|
|
|||
|
<!--::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|||
|
<table width="98%"><tr valign="center" align="center">
|
|||
|
<td rowspan="3"><A HREF="./lg_answer32.html"><IMG
|
|||
|
SRC="../gx/dennis/answernew.gif"
|
|||
|
ALT="[ Answer Guy Index ]"></A></td>
|
|||
|
<td><A HREF="tag_phreak.html">phreak</A>
|
|||
|
<td><A HREF="tag_abandon.html">abandon</A>
|
|||
|
<td><A HREF="tag_javaterm.html">javaterm</A>
|
|||
|
<td><A HREF="tag_BBS.html">BBS</A>
|
|||
|
<td><A HREF="tag_flaws.html">flaws</A>
|
|||
|
<td><A HREF="tag_doslinux.html">doslinux</A>
|
|||
|
<td><A HREF="tag_resume.html">resume</A>
|
|||
|
|
|||
|
</tr><tr valign="center" align="center">
|
|||
|
<td><A HREF="tag_softwindows.html">softwindows</A>
|
|||
|
<td><A HREF="tag_convert.html">convert</A>
|
|||
|
<td><A HREF="tag_apache.html">apache</A>
|
|||
|
<td><A HREF="tag_emulate.html">emulate</A>
|
|||
|
<td><A HREF="tag_database.html">database</A>
|
|||
|
<td><A HREF="tag_distrib.html">distrib</A>
|
|||
|
<td><A HREF="tag_proxy.html">proxy</A>
|
|||
|
|
|||
|
</tr><tr valign="center" align="center">
|
|||
|
<td><A HREF="tag_disable.html">disable</A>
|
|||
|
<td><A HREF="tag_DVI.html">DVI</A>
|
|||
|
<td><A HREF="tag_superblock.html">superblock</A>
|
|||
|
<td><A HREF="tag_serial.html">serial</A>
|
|||
|
<td><A HREF="tag_permission.html">permission</A>
|
|||
|
<td><A HREF="tag_detach.html">detach</A>
|
|||
|
<td><A HREF="tag_cdr.html">cdr</A>
|
|||
|
|
|||
|
</tr><tr valign="center" align="center">
|
|||
|
<td><A HREF="tag_rs422.html">rs422</A>
|
|||
|
<td><A HREF="tag_modem.html">modem</A>
|
|||
|
<td><A HREF="tag_notfound.html">notfound</A>
|
|||
|
<td><A HREF="tag_tuning.html">tuning</A>
|
|||
|
<td><A HREF="tag_libc5.html">libc5</A>
|
|||
|
<td><A HREF="tag_startup.html">startup</A>
|
|||
|
<td><A HREF="tag_clock.html">clock</A>
|
|||
|
<td><A HREF="tag_ping.html">ping</A>
|
|||
|
|
|||
|
</tr><tr valign="center" align="center">
|
|||
|
<td><A HREF="tag_accounts.html">accounts</A>
|
|||
|
<td><A HREF="tag_lilo.html">lilo</A>
|
|||
|
<td><A HREF="tag_NDS.html">NDS</A>
|
|||
|
<td><A HREF="tag_95slow.html">95slow</A>
|
|||
|
<td><A HREF="tag_nonlinux.html">nonlinux</A>
|
|||
|
<td><A HREF="tag_progenv.html">progenv</A>
|
|||
|
<td><A HREF="tag_cluster.html">cluster</A>
|
|||
|
<td><A HREF="tag_ftpd.html">ftpd</A>
|
|||
|
|
|||
|
</tr></table>
|
|||
|
<P> <hr> <P>
|
|||
|
<!--::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|||
|
<A HREF="./index.html"><IMG SRC="../gx/indexnew.gif"
|
|||
|
ALT="[ Table Of Contents ]"></A>
|
|||
|
<A HREF="../index.html"><IMG SRC="../gx/homenew.gif"
|
|||
|
ALT="[ Front Page ]"></A>
|
|||
|
<A HREF="lg_bytes32.html"><IMG SRC="../gx/back2.gif"
|
|||
|
ALT="[ Previous Section ]"></A>
|
|||
|
<A HREF="./stemen.html"><IMG SRC="../gx/fwd.gif"
|
|||
|
ALT="[ Next Section ]"></A>
|
|||
|
<!--::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|||
|
</body>
|
|||
|
</html>
|
|||
|
<!--endcut ========================================================= -->
|
|||
|
|
|||
|
|