328 lines
10 KiB
HTML
328 lines
10 KiB
HTML
<!--startcut ======================================================= -->
|
||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
||
<html><head>
|
||
<META NAME="generator" CONTENT="lgazmail v1.1pre9c">
|
||
<TITLE>The Answer Guy 32:
|
||
WU-FTP guestgroup problems
|
||
</TITLE>
|
||
<!-- ORIGINAL SUBJECT:
|
||
wu-ftpd guest account on a Linux Box
|
||
JTD SUBTITLE:
|
||
|
||
-->
|
||
</head>
|
||
|
||
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#A000A0"
|
||
ALINK="#FF0000">
|
||
<H4>"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
||
</H4>
|
||
<P> <hr> <P>
|
||
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
||
<H1 align="center"><A NAME="answer">
|
||
<img src="../gx/dennis/qbubble.gif" alt="" border="0" align="middle">
|
||
<a href="./index.html">The Answer Guy</a>
|
||
<img src="../gx/dennis/bbubble.gif" alt="" border="0" align="middle">
|
||
</A></H1>
|
||
<BR>
|
||
<H4 align="center">By James T. Dennis,
|
||
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a>
|
||
<BR>Starshine Technical Services, <A HREF="http://www.starshine.org/">http://www.starshine.org/</A>
|
||
</H4>
|
||
<p><hr><p>
|
||
<!--endcut ========================================================= -->
|
||
<H3><img src="../gx/dennis/qbub.gif" alt="(?)"width="50" height="28"
|
||
align="left" border="0">WU-FTP guestgroup problems</H3>
|
||
|
||
<p><strong>From Marco Iannacone on the
|
||
<a href="news:comp.unix.questions">comp.unix.questions</a> newsgroup
|
||
on 9 Jun 1997 </strong></p>
|
||
|
||
<!-- begin body -->
|
||
|
||
<blockquote>It looks like I never answered this question.
|
||
(I'm going through my old archives).
|
||
</blockquote>
|
||
|
||
<strong><p>Hi James,
|
||
how you doing?
|
||
</p></strong>
|
||
|
||
<strong><p>I'm writing to you as <EM>The Answer Guy</EM> 'cause I have
|
||
some problem with setting up the guest trick with wu-ftpd.
|
||
What I mean is to have a chrooted enviroment for some special user
|
||
with their home directory and user-id and password.
|
||
</p></strong>
|
||
|
||
<strong><p>I'm using <A HREF="http://www.slackware.org/">Slackware</A>
|
||
'96 Linux with the wu-archive-ftp that comes already compiled with it.
|
||
</p></strong>
|
||
|
||
<strong><p>This is what I did:
|
||
</p></strong>
|
||
|
||
<strong>
|
||
<ul>
|
||
<LI>I compiled gnu ls statically and put it in ~ftp/user-foo/bin
|
||
directory.
|
||
<LI>I did the <TT>/etc</TT> hack:
|
||
<ul>
|
||
<li>added the guest group in<TT>/etc/group</TT>
|
||
<li>modify the<TT>/etc/passwd</TT> file for the user I want to be
|
||
chrooted giving him <TT>/home/ftp/user-foo./</TT> directory
|
||
</ul>
|
||
</UL>
|
||
</strong>
|
||
|
||
<BLOCKQUOTE><IMG SRC="../gx/dennis/bbub.gif" ALT="(!)" width="50" height="28"
|
||
border="0" lign="bottom">I think this is supposed to be</blockquote>
|
||
|
||
|
||
<code><blockquote><blockquote>/home/ftp/./user-foo
|
||
</blockquote></blockquote></code>
|
||
|
||
<blockquote>... if you want the guestgroup directive in
|
||
wu-ftpd's ftpaccess file to chroot to <TT>/home/ftp</TT> and
|
||
initially place this user in the<TT>/home/ftp/user-foo</TT>
|
||
directory.
|
||
</blockquote>
|
||
|
||
|
||
<STRONG><P><IMG SRC="../gx/dennis/qbub.gif" ALT="(?)" width="50" height="28" border="0" lign="bottom"
|
||
>I don't recall whether the "ftponly" (or whatever you
|
||
call your "guestgroup" group) has to be that user's
|
||
<EM>primary</EM> group (the one listed in <TT>/etc/passwd</TT>) or whether
|
||
it can be one of the supplemental groups (as listed in <TT>/etc/group</TT>)
|
||
</p></strong>
|
||
|
||
<strong><UL>
|
||
<ul>
|
||
<LI>added <TT>/etc/ftponly</TT> to <TT>/etc/shells</TT>
|
||
<LI>I modify the <TT>/etc/ftpaccess</TT> file adding
|
||
<code>...
|
||
<BR>path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
|
||
<BR>....
|
||
<BR>guestgroup guest
|
||
</code>
|
||
</ul>
|
||
|
||
|
||
<LI>I created the user home directory which has the following
|
||
attribute:
|
||
|
||
<pre>[root]:/home/ftp>ls -la
|
||
total 104
|
||
dr-xr-xr-x 9 root root 512 Jun 2 14:01 .
|
||
drwxrwxr-x 6 user-foo guest 512 Jun 3 13:54 user-foo
|
||
dr-xr-xr-x 2 root root 512 Jun 3 09:45 bin
|
||
</pre>
|
||
</UL>
|
||
</strong>
|
||
|
||
<strong><p>Now the ftp server is running fine (both with normal and anonymous
|
||
users) and even the chrooted enviroment for guest is working fine:
|
||
the user can login, upload and download files and it is locked in
|
||
that directory... i.e. can go in all the subdirectory but can't go
|
||
up. So it is perfect!
|
||
</p></strong>
|
||
|
||
<strong><p>The only problem is that <TT>ls</TT> and <TT>dir</TT> are not
|
||
working and he can only list files using <TT>nlist</TT>.
|
||
</p></strong>
|
||
|
||
<strong><p>For example:
|
||
</p></strong>
|
||
|
||
<strong><pre>Name (localhost:root): user-foo
|
||
331 Password required for user-foo.
|
||
Password:
|
||
230 User amex logged in. Access restrictions apply.
|
||
ftp> nlist
|
||
200 PORT command successful.
|
||
150 Opening ASCII mode data connection for file list.
|
||
bin
|
||
.profile
|
||
etc
|
||
.rhosts
|
||
.forward
|
||
.sh_history
|
||
test-directory
|
||
test-file.txt
|
||
226 Transfer complete.
|
||
ftp> dir
|
||
200 PORT command successful.
|
||
150 Opening ASCII mode data connection for '/bin/ls'.
|
||
226 Transfer complete.
|
||
ftp> ls
|
||
200 PORT command successful.
|
||
150 Opening ASCII mode data connection for '/bin/ls'.
|
||
226 Transfer complete.
|
||
ftp>quit
|
||
</pre></strong>
|
||
|
||
<strong><p>What am I missing? how can I allow him to do ls and dir?
|
||
Note: i'm sure that the new ls is working:
|
||
</p></strong>
|
||
|
||
<strong><pre>[root@Goliath /home/ftp/user-foo//bin]#./ls
|
||
compress cpio gzip ls sh tar
|
||
[root@Goliath /home/ftp/user-foo/bin]#
|
||
</pre></strong>
|
||
|
||
<strong><p>
|
||
and that is statically linked:
|
||
</p></strong>
|
||
|
||
|
||
<strong><pre>[root@Goliath /home/ftp/user-foo/bin]#ldd ./ls
|
||
|
||
Statically linked (ELF)
|
||
|
||
[root@Goliath /home/ftp/user-foo/bin]#
|
||
</pre></strong>
|
||
|
||
|
||
<p><strong>Thanks a lot,
|
||
Marco
|
||
</strong></p>
|
||
|
||
|
||
|
||
<BLOCKQUOTE><IMG SRC="../gx/dennis/bbub.gif" ALT="(!)" width="50" height="28" border="0" lign="bottom"
|
||
>Everything else sounds right to me.
|
||
</blockquote>
|
||
|
||
|
||
<BLOCKQUOTE>Naturally I hope you've long since solved this problem.
|
||
I just hate to leave a question unanswered.
|
||
</blockquote>
|
||
|
||
|
||
<BLOCKQUOTE>Incidentally, you might look at <TT>ncftpd</TT> (a newer
|
||
FTP daemon from Mike Gleason, author of the popular <TT>ncftp</TT> client).
|
||
<TT>ncftpd</TT> allegedly offers better options for locking users into their
|
||
home directories and it contains built-in support for '<TT>ls</TT>' and
|
||
similar commands.</blockquote>
|
||
|
||
|
||
<BLOCKQUOTE><TT>ncftpd</TT> is shareware, rather than freeware, and
|
||
Mike wants $40 (US) for small servers (50 concurrent
|
||
sessions or less) and about $200 for larger servers.
|
||
</blockquote>
|
||
|
||
<blockquote>However you can evaluate the whole package for free.
|
||
Start by taking a look at:
|
||
</blockquote>
|
||
|
||
|
||
<code><blockquote><blockquote><A HREF="http://www.probe.net/~mgleason/ncftpd/"
|
||
>http://www.probe.net/~mgleason/ncftpd/</A>
|
||
</blockquote></blockquote></code>
|
||
|
||
|
||
<blockquote>... or at:
|
||
</blockquote>
|
||
|
||
|
||
<code><blockquote><blockquote
|
||
><A HREF="http://www.ncftp.com/">http://www.ncftp.com/</A>
|
||
</blockquote></blockquote></code>
|
||
|
||
|
||
<blockquote>... and reading about the features list.
|
||
</blockquote>
|
||
|
||
<blockquote>Naturally this hasn't been around as long as
|
||
<TT>wu-ftpd</TT>, and the sources don't seem to be openly
|
||
available. So <TT>ncftpd</TT> doesn't benefit from the
|
||
informal process of code review that we take for
|
||
granted for most Linux networking packages.
|
||
</blockquote>
|
||
|
||
<blockquote>(This informal process of auditing does not seem
|
||
to have been terribly effective, however, since we
|
||
still find new security problems in code that's been
|
||
free for decades. For this reason there are have a
|
||
couple of more organized and formal efforts ---
|
||
the <a href="http://www.openbsd.org/">OpenBSD</a> project and
|
||
the Linux Security Audit
|
||
<A HREF="http://www.att.net">http://www.att.net/~Bandit2006/</A>
|
||
to name the two with which I'm familiar).
|
||
</blockquote>
|
||
<!-- end body -->
|
||
|
||
<!--startcut ======================================================= -->
|
||
<P> <hr> <P>
|
||
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
|
||
>Copyright ©</a> 1998, James T. Dennis <BR>
|
||
Published in <I>Linux Gazette</I> Issue 32 September 1998</H5>
|
||
<P> <hr> <P>
|
||
|
||
<!--::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
||
<table width="98%"><tr valign="center" align="center">
|
||
<td rowspan="3"><A HREF="./lg_answer32.html"><IMG
|
||
SRC="../gx/dennis/answernew.gif"
|
||
ALT="[ Answer Guy Index ]"></A></td>
|
||
<td><A HREF="tag_phreak.html">phreak</A>
|
||
<td><A HREF="tag_abandon.html">abandon</A>
|
||
<td><A HREF="tag_javaterm.html">javaterm</A>
|
||
<td><A HREF="tag_BBS.html">BBS</A>
|
||
<td><A HREF="tag_flaws.html">flaws</A>
|
||
<td><A HREF="tag_doslinux.html">doslinux</A>
|
||
<td><A HREF="tag_resume.html">resume</A>
|
||
|
||
</tr><tr valign="center" align="center">
|
||
<td><A HREF="tag_softwindows.html">softwindows</A>
|
||
<td><A HREF="tag_convert.html">convert</A>
|
||
<td><A HREF="tag_apache.html">apache</A>
|
||
<td><A HREF="tag_emulate.html">emulate</A>
|
||
<td><A HREF="tag_database.html">database</A>
|
||
<td><A HREF="tag_distrib.html">distrib</A>
|
||
<td><A HREF="tag_proxy.html">proxy</A>
|
||
|
||
</tr><tr valign="center" align="center">
|
||
<td><A HREF="tag_disable.html">disable</A>
|
||
<td><A HREF="tag_DVI.html">DVI</A>
|
||
<td><A HREF="tag_superblock.html">superblock</A>
|
||
<td><A HREF="tag_serial.html">serial</A>
|
||
<td><A HREF="tag_permission.html">permission</A>
|
||
<td><A HREF="tag_detach.html">detach</A>
|
||
<td><A HREF="tag_cdr.html">cdr</A>
|
||
|
||
</tr><tr valign="center" align="center">
|
||
<td><A HREF="tag_rs422.html">rs422</A>
|
||
<td><A HREF="tag_modem.html">modem</A>
|
||
<td><A HREF="tag_notfound.html">notfound</A>
|
||
<td><A HREF="tag_tuning.html">tuning</A>
|
||
<td><A HREF="tag_libc5.html">libc5</A>
|
||
<td><A HREF="tag_startup.html">startup</A>
|
||
<td><A HREF="tag_clock.html">clock</A>
|
||
<td><A HREF="tag_ping.html">ping</A>
|
||
|
||
</tr><tr valign="center" align="center">
|
||
<td><A HREF="tag_accounts.html">accounts</A>
|
||
<td><A HREF="tag_lilo.html">lilo</A>
|
||
<td><A HREF="tag_NDS.html">NDS</A>
|
||
<td><A HREF="tag_95slow.html">95slow</A>
|
||
<td><A HREF="tag_nonlinux.html">nonlinux</A>
|
||
<td><A HREF="tag_progenv.html">progenv</A>
|
||
<td><A HREF="tag_cluster.html">cluster</A>
|
||
<td><A HREF="tag_ftpd.html">ftpd</A>
|
||
|
||
</tr></table>
|
||
<P> <hr> <P>
|
||
<!--::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
||
<A HREF="./index.html"><IMG SRC="../gx/indexnew.gif"
|
||
ALT="[ Table Of Contents ]"></A>
|
||
<A HREF="../index.html"><IMG SRC="../gx/homenew.gif"
|
||
ALT="[ Front Page ]"></A>
|
||
<A HREF="lg_bytes32.html"><IMG SRC="../gx/back2.gif"
|
||
ALT="[ Previous Section ]"></A>
|
||
<A HREF="./stemen.html"><IMG SRC="../gx/fwd.gif"
|
||
ALT="[ Next Section ]"></A>
|
||
<!--::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
||
</body>
|
||
</html>
|
||
<!--endcut ========================================================= -->
|
||
|
||
|