2011-03-03 13:56:41     Restrict FTPD to a specific directory

Document created by Aaronwu Employee on Aug 26, 2013
Version 1Show Document
  • View in full screen mode

2011-03-03 13:56:41     Restrict FTPD to a specific directory

Adam Rosenberg (UNITED STATES)

Message: 98630   

 

I am using ftpd found in uclinux-dist/user/ftpd of SVN trunk.  Is there a way to configure this so that the user cannot change directories below /home ?  I would like to restrict the users so that they cannot access any other directory except for /home or its subdirectories.

 

Thank you,

Adam

QuoteReplyEditDelete

 

 

2011-03-03 14:03:39     Re: Restrict FTPD to a specific directory

Mike Frysinger (UNITED STATES)

Message: 98632   

 

i dont think that version of ftpd supports chrooting.  you can try busybox's ftpd, or inetutils' ftpd.  or edit user/ftpd/ so that it does a chroot into the user's home dir during the auth process.

QuoteReplyEditDelete

 

 

2011-03-03 15:07:36     Re: Restrict FTPD to a specific directory

Adam Rosenberg (UNITED STATES)

Message: 98633    Mike,

 

Thanks! I did a little poking into the user/ftpd code for chroot and found

that I had to create a file called /user/sbin/chroot (defined in the

Makefile as PATH_FTPCHROOT) and put the user names I wanted to restrict on

each line. Works great!

 

Thanks,

Adam

QuoteReplyEditDelete

 

 

2011-03-03 15:25:19     Re: Restrict FTPD to a specific directory

Adam Rosenberg (UNITED STATES)

Message: 98634    This is my first time using something that has been chrooted. It seems like

ftpd is not calling /bin/ls when I send the dir command:

 

ftp> dir

200 PORT command sucessful.

150 Opening ASCII mode data connection for '/bin/ls'.

226 Transfer complete.

 

I figured this was because I chrooted to /home/admin so I made a directory

in /home/admin called bin and then made a symlink to /bin/ls

 

This didn't work so I took it one step further and changed my configuration

to create a standalone ls command (instead of busybox) and made a hardlink

to it. This didn't work either.

 

Any ideas?

 

Thanks,

Adam

QuoteReplyEditDelete

 

 

2011-03-03 15:31:41     Re: Restrict FTPD to a specific directory

Mike Frysinger (UNITED STATES)

Message: 98635   

 

you will need hardlinks ... symlinks wont work

 

linking to busybox's ls should be fine

 

are you building as FLAT (static) or FDPIC (dynamic) ?  if the former, you should only need /bin/ls.  if the latter, you will need all the shared libraries that busybox is using.  such as the ldso and libc.so.  hardlink them into /home/admin/lib/.

QuoteReplyEditDelete

 

 

2011-03-03 15:57:07     Re: Restrict FTPD to a specific directory

Adam Rosenberg (UNITED STATES)

Message: 98636    I am using FDPIC and you hit the nail on the head. I copied the entire lib

directory and it worked. I went back to using busybox for ls but ran into a

small gotcha. You have to make the hardlink to busybox and not to the

busybox ls, which turns out is actually a symlink to busybox. So here is

the final setup:

 

mkdir /home/admin/bin

mkdir /home/admin/lib

ln /bin/busybox /home/admin/bin/ls

ln /lib/ld-uClibc.so.0 /home/admin/lib/ld-uClibc.so.0

ln /lib/libc.so.0 /home/admin/lib/libc.so.0

 

Figuring our which shared libraries were needed was not easy. I could not

find anything similar to ldd in the uclinux apps. I'm glad it works though

:-)

 

Thanks again,

Adam

Attachments

    Outcomes