restricting access...

system · May 7, 2001, 1:04pm

restricted access...
Hi
I need to restrict users shell access to only $HOME under /home for each user. I don't want them getting out of their own directories. From what I understand chroot is something I could use, but I want to avoid this since it involves creating symbolic links to a number of places and I'm not sure what would be involved to link mySQL and web server things since these users virtually host websites on this machine. I was thinking more of something in their profiles, .rbash ? How do I use this on Linux, Red Hat?

Many thanks for any help.

Regards

p.s. apologies I had posted this in a wholly innappropriate place previously

PxT · May 7, 2001, 5:30pm

It is difficult to do this without using chroot. You might want to investigate using rsh (restricted shell) as their login shell.

Alternately, you could write your own shell or hack one to remove/alter "cd". A resourceful user could always find ways around that though.

system · May 8, 2001, 4:36am

Thanks PxT, I am going to consider that for users who need a command prompt, I wonder if you could help me I've been working on this all night with no luck...

I want to chroot ftp users to their home dir, I have set up /etc and /bin in their directories, modified the /etc/passwd to:

user:x:500:500::/home/./user:/etc/ftponly

So they should chroot to /home and then chdir to their directory, and sit in that jail and not be allowed out of /home. I created passwd and group in ~etc.

The final bit of the plot was to add the guest ftp entry into /etc/ftpaccess. Which I did as:

guestgroup group

Where group is the group of the user.

However when I attempt to login as that user it says invalid username or password, if I take out this entry from ftpaccess I can login and am taken to /home/user, but I can escape from /home which I would expect as it clearly hasnt been specified as a chrooted guest ftp account, its only taking the directory to land me in from /etc/passwd.

Do you know what the problem could be? I've tried changing owners, permissions, messing around with ftpaccess, nothing seems to work.

Thanks for any help, from anyone.

Regards

system · May 9, 2001, 11:59am

hi
I have sorted out ftpaccess and chroot works - but I cant see any files or dirs when I ftp in as a chrooted guest ftp user. I have copied /bin/ls to ~bin/ls, still the same. I guess I need to move the libraries into place in ~lib ? And then link them correctly - I can use the ldd to isolate the libraries but I think there is more to it than this, does anyone know how I would set up the libraries so that ls works? Im using Red Hat.

Thanks anyone.

Regards

Neo · May 9, 2001, 1:21pm

Can you post your login scripts that call the chroot command and the login command you are using in the /etc/passwd file?

Let's work this openly with all files/details so those who follow will benefit from the trail blazed in this thread. Thanks!

PxT · May 9, 2001, 3:10pm

When dealing with ftp, there are no login scripts involved. the ftp daemon itself calls the chroot command. You need to set up the home directories carefully. Full instructions are in the man page for ftpd:
http://www.wu-ftpd.org/man/ftpd.html

And more details on the 'guestgroup' configuration are in:
http://www.wu-ftpd.org/man/ftpaccess.html

mib · May 9, 2001, 3:36pm

3 possibilities:
1)
chroot directory given in your /etc/passwd file for the guest account must be to the directory where your ~/bin directory is located. That is, if your chroot directory is /home/user/ and your /etc/passwd account is:

user:x:500:500:guest:/home/./user:/etc/ftponly

it will not work, as the ~/bin directory is not under the chrooted directory. It must be set as follows.

user:x:500:500:guest:/home/user/./:/etc/ftponly

2)
find "ls" source somewhere (for example, GNU fileutils source package from ftp://gnu.org ), and compile it statically under your chroot'ed environment.

3)
The other option is, as you mentioned find out what libraries ls wants, and make copies of them in ~lib under your chroot'ed environment.

As Neo said please post you configuration stuff so that others may benefit from it!

HTH

[Edited by mib on 05-09-2001 at 03:38 PM]

system · May 9, 2001, 7:08pm

Okay got it working at last, let me tell you what I have had to do, so, as you say we can all benefit...

Firstly I modified /etc/passwd and /etc/group to read:

user:x:500:500::/home/./user/:/etc/ftponly

root::0:root
user::500:user

You have to ensure that /etc/ftponly is in the list contained in the file /etc/shells. Then I created etc, bin and lib directories under /home - the location of these are vital, as I will show soon. In /home/etc I created a passwd file with the entry in /etc/passwd above as well as one for root thus:

root:x:0:0::/etc/ftponly

I also created a group file in /home/etc with the entries in /etc/group listed above. You only want these entries in these files, not the complete corresponding files as chrooted users will be able to see these.

Then I copied /bin/ls into /home/ls. Then I added two entries into /etc/ftpaccess:

class all guest *
guestgroup user

Class creates a class for the guest ftp, * means that connections from anywhere are allows as this class. Guestgroup indicates that the ftp login for users in group user will be guest ftp logins, which is needed for chrooting the account. Simple so far.

This is the bit that got me - I managed to log into the jail, and stay stuck in there, but could not see anything. I figured it was ls not working properly, so this is where the /home/lib directory comes into play. In here you need to replicate the state of the libraries and links in /lib that are used by ls.

So I used ldd /bin/ls to check things out. You need the following in /home/lib:

ld-2.1.94.so
libc-2.1.94.so
libtermcap.so.2.0.8

Then create soft links to these from the following, in respective order:

ld-linux.so.2
libc.so.6
libtermcap.so.2

What I discovered, after pulling my hair out many times, is exactly what mib said, this directory and bin needs to be in the directory you set to chroot to, NOT in the directory you set to subsequently chdir to. This is the mistake I made, so if it /etc/passwd the entry was:

user:x:500:500::/home/./user/:/etc/ftponly

~etc, ~bin and ~lib should be under /home not /home/user. Once this is all in place you have a fully functional chrooted guest ftp account.

One thing to bear in mind is this: this is obviously not a complete jail, as the chroot is done on /home so, that is effectively / which means the user can still get out into /home and possibly move into other people's directories. You can operate the chroot on /home/user but this would mean the ~etc, ~bin and ~lib directories in EACH users chroot environment - this is 5 megs in total (99% people the libraries) if you have say 100 customers on a machine, that 500 megs of disk space in just setting up the restricted ftp access, thats a lot of space, relatively speaking. So you can just chroot on /home and then you only need one set of those directories, and take chmod out of the priviledges for guest ftp accounts in /etc/ftpaccess. That should stop anyone chmoding someone elses files then deleting them. Obviously this need more consideration and is site dependent.

Hoped this helped someone!

Regards

system · May 9, 2001, 7:12pm

Sorry...that should be /home/bin/ls of course!

Neo · May 9, 2001, 7:13pm

Thanks so much for sharing your success and providing a thread we can reference when this comes up again (and again)!

The trouble with rbash and many other restricted shells is that they are easy to 'break out of' by exec'ing another shell. The chroot method has 'a chance to work'.

BTW: If you do what you just described for individual users (and individual logins) vs. a guest login, then (obviously) you could be more restrictive I think there is a way to do this that is not too labor intensive, BTW.

[Edited by Neo on 05-09-2001 at 07:17 PM]