Home Page Home Page
Home | Linux Administration | Corporate Services | Resources | About Us Support Center
Monthly Server Management One-time Server Services Other Services
Network Administration Network Monitoring Network Security High Availability Load Balancing Data Backup and Recovery
Linux HOWTOs Linux Guides Linux Articles New RFCs Vulnerability list Linux Journal
Testimonials Partners Careers Contact Us Site Map
The Answer Guy 32: WU-FTP guestgroup problems

"Linux Gazette...making Linux just a little more fun!"

The Answer Guy


By James T. Dennis, tag@lists.linuxgazette.net
Starshine Technical Services, http://www.starshine.org/

(?)WU-FTP guestgroup problems

From Marco Iannacone on the comp.unix.questions newsgroup on 9 Jun 1997

It looks like I never answered this question. (I'm going through my old archives).

Hi James, how you doing?

I'm writing to you as The Answer Guy 'cause I have some problem with setting up the guest trick with wu-ftpd. What I mean is to have a chrooted enviroment for some special user with their home directory and user-id and password.

I'm using Slackware '96 Linux with the wu-archive-ftp that comes already compiled with it.

This is what I did:

  • I compiled gnu ls statically and put it in ~ftp/user-foo/bin directory.
  • I did the /etc hack:
    • added the guest group in/etc/group
    • modify the/etc/passwd file for the user I want to be chrooted giving him /home/ftp/user-foo./ directory
(!)I think this is supposed to be
/home/ftp/./user-foo
... if you want the guestgroup directive in wu-ftpd's ftpaccess file to chroot to /home/ftp and initially place this user in the/home/ftp/user-foo directory.

(?)I don't recall whether the "ftponly" (or whatever you call your "guestgroup" group) has to be that user's primary group (the one listed in /etc/passwd) or whether it can be one of the supplemental groups (as listed in /etc/group)

    • added /etc/ftponly to /etc/shells
    • I modify the /etc/ftpaccess file adding ...
      path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
      ....
      guestgroup guest
  • I created the user home directory which has the following attribute: 
    [root]:/home/ftp>ls -la
total 104
dr-xr-xr-x   9 root     root          512 Jun  2 14:01 .
drwxrwxr-x   6 user-foo guest     512 Jun  3 13:54 user-foo
dr-xr-xr-x   2 root     root       512 Jun  3 09:45 bin

Now the ftp server is running fine (both with normal and anonymous users) and even the chrooted enviroment for guest is working fine: the user can login, upload and download files and it is locked in that directory... i.e. can go in all the subdirectory but can't go up. So it is perfect!

The only problem is that ls and dir are not working and he can only list files using nlist.

For example: 

Name (localhost:root): user-foo
331 Password required for user-foo.
Password:
230 User amex logged in.  Access restrictions apply.
ftp> nlist
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
bin
.profile
etc
.rhosts
.forward
.sh_history
test-directory
test-file.txt
226 Transfer complete.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
226 Transfer complete.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
226 Transfer complete.
ftp>quit

What am I missing? how can I allow him to do ls and dir? Note: i'm sure that the new ls is working: 

[root@Goliath /home/ftp/user-foo//bin]#./ls
compress  cpio        gzip            ls              sh        tar
[root@Goliath /home/ftp/user-foo/bin]#

and that is statically linked: 

[root@Goliath /home/ftp/user-foo/bin]#ldd ./ls

Statically linked (ELF)

[root@Goliath /home/ftp/user-foo/bin]#

Thanks a lot, Marco

(!)Everything else sounds right to me.
Naturally I hope you've long since solved this problem. I just hate to leave a question unanswered.
Incidentally, you might look at ncftpd (a newer FTP daemon from Mike Gleason, author of the popular ncftp client). ncftpd allegedly offers better options for locking users into their home directories and it contains built-in support for 'ls' and similar commands.
ncftpd is shareware, rather than freeware, and Mike wants $40 (US) for small servers (50 concurrent sessions or less) and about $200 for larger servers.
However you can evaluate the whole package for free. Start by taking a look at:
http://www.probe.net/~mgleason/ncftpd/
... or at:
http://www.ncftp.com/
... and reading about the features list.
Naturally this hasn't been around as long as wu-ftpd, and the sources don't seem to be openly available. So ncftpd doesn't benefit from the informal process of code review that we take for granted for most Linux networking packages.
(This informal process of auditing does not seem to have been terribly effective, however, since we still find new security problems in code that's been free for decades. For this reason there are have a couple of more organized and formal efforts --- the OpenBSD project and the Linux Security Audit http://www.att.net/~Bandit2006/ to name the two with which I'm familiar).

Copyright © 1998, James T. Dennis
Published in Linux Gazette Issue 32 September 1998

[ Answer Guy Index ] phreak abandon javaterm BBS flaws doslinux resume
softwindows convert apache emulate database distrib proxy
disable DVI superblock serial permission detach cdr
rs422 modem notfound tuning libc5 startup clock ping
accounts lilo NDS 95slow nonlinux progenv cluster ftpd

[ Table Of Contents ] [ Front Page ] [ Previous Section ] [ Next Section ]

All logos, trademarks and content in this site are property of their respective owners. All else is © Copyright 2005-2012 n3v.net