proftpd.chroot

I have looked at the sample scripts but i'm a newbie. Could some one tell me how to set up the following using my supplied proftpd.conf file? I want to set up a guest account with chroot and require a password. I don't want to run as anonymous. Also what files do i need to include into the /download dir in order for this to work?

Example 1-2.

File: proftpd.conf

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName			"ProFTPD Default Installation"
ServerType			standalone
DefaultServer			on

# Port 21 is the standard FTP port.
Port				21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask				022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances			30

# Set the user and group that the server normally runs at.
User				nobody
Group				nogroup

# Normally, we want files to be overwriteable.
<Directory /*>
  AllowOverwrite		on
</Directory>

# A basic anonymous configuration, no upload directories.
<Anonymous ~ftp>
  User				ftp
  Group				ftp
  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias			anonymous ftp

  # Limit the maximum number of anonymous logins
  MaxClients			10

  # We want 'welcome.msg' displayed at login, and '.message' displayed
  # in each newly chdired directory.
  DisplayLogin			welcome.msg
  DisplayFirstChdir		.message

  # Limit WRITE everywhere in the anonymous chroot
  <Limit WRITE>
    DenyAll
  </Limit>

</Anonymous>

I was setting up proftpd at another ISP's site, and they wanted to chroot folks in their home directory (DefaultRoot ~) -but- have them start in a "webspace" subdirectory. The idea is that the move from their existing webserver setup (where they were immediately placed in their webspace when uploading) would be transparent, but they would have the ability of storing things outside of their webspace. I looked through the configuration directives, tried setting the home directory in passwd to /home/example/./webspace, etc., all to no avail. Any ideas? DefaultRoot ~ DefaultChdir ~/webspace

Any method used to break out of a chroot() jail relies on the ".." path to the root directory being unbroken. The prevention method is to break the path of ".." directories at some point. The method used is to create a small partition at bootup which has its ".." link to its parent broken so that its effectively like "." using fsdb (FileSystem DeBugger). This partition has to be killed when the machine dies as having a contition where ".." points to the current directory gives fsck kittens when it runs.

This prevention method was developed by Carole Fennelly and her partner. Have a look at the August 1999 Security column of SunWorld Online for the article - see http://www.sunworld.com/sunworldonline/swol-08-1999/swol-08-security-2.html

I want users on group company to have DefaultRoot ~ And the rest of users have a customized DefaultRoot I've tried <VirtualHost ftp.company.com> <Limit LOGIN> DenyAll AllowGroup company </Limit> DefaultRoot ~ ... ... </VirtualHost> <VirtualHost ftp.client1.com> <Limit LOGIN> DenyAll AllowUser client1 </Limit> DefaultRoot /var/www/client1 ... ... </VirtualHost> <VirtualHost ftp.client2.com> <Limit LOGIN> DenyAll AllowUser client2 </Limit> DefaultRoot /var/www/client2 ... ... </VirtualHost> but 've no success, any help appreciated .

I know that you could send (and jail) user to a particular directory base on their GroupID by using the DefaultRoot Directive Ie. DefaultRoot ~ webusers Can you have more than one DefaultRoot define within the same domain, so user from Group - webusers will default (jail) to their own home directory, and another Group - fpusers will default to an empty directory (ie /home/blank)

>>>>> "dwc" == Chan, Dominic <dwc@lubrizol.com> writes: dwc> I know that you could send (and jail) user to a particular dwc> directory base on their GroupID by using the DefaultRoot dwc> Directive dwc> Ie. DefaultRoot ~ webusers dwc> Can you have more than one DefaultRoot define within the same dwc> domain, so user from Group - webusers will default (jail) to dwc> their own home directory, and another Group - fpusers will dwc> default to an empty directory (ie /home/blank) Try it and see :-)

I have set up my Proftpd so that all users DefaultRoot to their ~/public_html directory for FTP'ing their web pages over. My problem is that I have 1 user that I would like to have DefaultRoot to their home directory, no just their public_html directory. Is there a way to accomplish this, to say everyone should be treated like this, except for this one user?

create a new group, add that user to it, add a !<that group> to the defaultroot directive, add a new defaultroot directive for that group (child's play?).

devon "James C. Montz" wrote: > > I have set up my Proftpd so that all users DefaultRoot to their > ~/public_html directory for FTP'ing their web pages over. > > My problem is that I have 1 user that I would like to have DefaultRoot to > their home directory, no just their public_html directory. > Is there a way to accomplish this, to say everyone should be treated like > this, except for this one user? > > Thanks!

Hi, I am trying to get a group of users with the same gid and seperate Unix accounts to have the same chroot'd directory. I have tried several methods and even get it to work with an <anon> block with a Group and several UserAlias directives but they all then use the primary User password and I want seperate passwords. Ideally what I need is: <Group unixgrp> DefaultRoot /usr/local/home/ftp/unixgrp </Group> whereas this chroot would only apply to members of this group. Any suggestions on accomplishing this? Thanks. Kyle Tucker wrote: > Hi, > I am trying to get a group of users with > the same gid and seperate Unix accounts to have the > same chroot'd directory. I have tried several methods > and even get it to work with an <anon> block with a > Group and several UserAlias directives but they all > then use the primary User password and I want seperate > passwords. Ideally what I need is: > > <Group unixgrp> > DefaultRoot /usr/local/home/ftp/unixgrp > </Group> Much simplier: DefaultRoot /usr/local/home/ftp/unixgrp unixgrp see also: http://www.proftpd.net/docs/configuration.html#DefaultRoot > > > whereas this chroot would only apply to members of this > group. > > Any suggestions on accomplishing this? Thanks. >

Way back when, Andreas Burkhardt wrote: > > Much simplier: > > DefaultRoot /usr/local/home/ftp/unixgrp unixgrp > > see also: > > http://www.proftpd.net/docs/configuration.html#DefaultRoot Yes, but this appears to work globally and I will need several different groups to work in this manner.

DefaultRoot can be used in <Virtual Host> context as well, which will not be global in scope.

I've a problem with proftpd i couldn't solve myselft - hope you'll help me on this one. Proftpd is running fine, logging in is no problem. But my users are able to change from 'their' directory down do lower ones (even down to /). Well - I don't like that at all. I tried to 'fix' that by adding DefaultRoot ~ in proftpd.conf but the problem still exists. What might I do to change the situation? There is one more question: Does anybody know why proftpd is not in the list when I do ps -aux? I know that it is running.

On Wed, 29 Dec 1999, Thomas Winkler wrote: > I've a problem with proftpd i couldn't solve myselft - hope you'll help me > on this one. Proftpd is running fine, logging in is no problem. But my users > are able to change from 'their' directory down do lower ones (even down to > /). Well - I don't like that at all. I tried to 'fix' that by adding > DefaultRoot ~

DefaultRoot should do the trick, can you confirm version OS any special configs (such as LDAP, SQL, NFS etc etc) Also where are you editing the configuration? /etc/ or /usr/local/etc/

<side note> This appears to be a common problem, most users are expecting proftpd.conf to be in /etc/ not /usr/local/etc/. I'll add something into the FAQ in a moment (updating atm) about it.</sidenote> It might be worth symlinking the two files together. Check to see which file you're editing, it's possible that you're editing the wrong one. > There is one more question: Does anybody know why proftpd is not in the > list when I do ps -aux? I know that it is running.

Best guess, you're running in inetd mode which means that proftpd will only appear in the process list while there are active connections.

pre10 running on FreeBSD 3.4-Stable.. I have been experimenting with the <directory> and DefaultRoot controls and I have a question.

I was setting up a directory structure to allow one parent account with several children accounts. Those children accounts would have an upload/download directory.

I won't bore you all with the whole config. But just the part for the base and the upload directory.

<Directory /home/parent/*> <Limit ALL> AllowUser parent DenyAll </Limit> <Limit RETR> AllowAll </Limit> <LIMIT CWD XCWD CDUP DIRS> AllowAll </Limit> </Directory> <Directory /home/parent/upload/*> <Limit STOR> AllowAll </Limit> <Limit RETR> AllowUser parent DenyAll </Limit> <Limit ALL> AllowUser parent DenyAll </Limit> <LIMIT CWD XCWD CDUP DIRS> AllowAll </Limit> </Directory>

Now in an attempt (thinking dynamically) I tried /home/parent/*/upload/* and it seemed to work with two separate children. Was I just seeing things or does this really work?

With that I thought why not try to make the DefaultRoot dynamic too, I had individual lines for each one. I am using a separate password file. It failed...

Snipped from the log USER parent: Login successful. parent chroot("~/"): No such file or directory

I'm guessing the separate file is the catch. I'd really like to keep the separate password file and have a dynamic default root. Is that possible to do?

YEs, ideally he should be using the system passwd file. If they're fake users, he can not allow them to login etc. BUT, what if the point is for security. Say for example, you're using FTP and SSH on your system (no telnet). Do you want someone to sniff your FTP password and be able to gain access to your shell? Why even bother with ssh?

A better one for you, when will proftpd support Require valid-user and AuthuserFile, in .ftaccess files? And within Anonymous hosts? Are there any particular reasons it does not? PS> What about the ability to toggle/rename Ftaccess file (same as Apache)? I chopped two together for this one...

> > Not chroot, but proftpd. > proftpd could getpwent if the root is ~/something. > This would then require that User be set... > > o _> > On Wed, Mar 29, 2000 at 12:24:15PM -0500, jason@iac.net wrote: > > > With that I thought why not try to make the DefaultRoot > > dynamic too, I had > > > individual lines for > > > each one. I am using a separate password file. It failed... > > > > > > Snipped from the log > > > USER parent: Login successful. > > > parent chroot("~/"): No such file or directory > > > I'd like you to explain to me how chroot(2) would know how > to expand tilde. ;-) >

First thing I am using a separate password file so technically the user doesn't have an account on the machine.

It looks like for DefaultRoot ~ To work properly the account needs to have an entry in the main password file. Then it logs the person in their home directory. Otherwise a line has to be in the config like... DefaultRoot /home/parent parent DefaultRoot /home/parent/child child To defaultroot the person to the proper directory if they are in a separate password file. It would be nice if proftpd could take the directory from the separate password file and default root them with that directory.

So to answer, perhaps..... If a separate password file is defined in the configuration and if "DefaultRoot ~" is set it should base the chroot off the users directory in that separate password file. Right now it doesn't look like it uses it for that. Unless I have just done something wrong and why I asked. My thought is why fuss with the actual config and not use what's set in the password file? That would allow for a dynamic config that chroot's with separate password files right? Jason Portwood - jason@iac.net Systems Administrator - Strategic/Internet Access Cincinnati Sales and Tech Support - 513-860-9052

Not chroot, but proftpd. proftpd could getpwent if the root is ~/something. This would then require that User be set...

DefaultChdir -- where users are dropped after login UserDirRoot -- this is sort of strange; here's from the old Changes-1.2.0pre3:

When set to true, the chroot base directory becomes a subdirectory of the anonymous ftp directory, based on the username of the current user. For example, assuming user "foo" is aliased to "ftp", logging in as "foo" causes proftpd to run as real user ftp, but to chroot into ~ftp/foo instead of just ~ftp. This works as advertised; if I set my anon block like so: <Anonymous ~ftp> User ftp UserAlias source ftp UserDirRoot on ...

and have a 'source' directory off ~ftp, logging in as 'source' acts like regular anon ftp and chroots me to ~ftp/source I'm just not sure what the purpose of this is -- is it a convenience thing? Why the chroot? Anyone have any ideas?

also: DisplayReadme was missing a </strong>, so the rest of the doc was bolded...