View Single Post
  #1   (View Single Post)  
Old 29th March 2010
pico pico is offline
Real Name: Pico
Complete openbsd beginner
 
Join Date: Mar 2010
Location: Scotland
Posts: 19
Default ftp jailing ftp-chroot

I'm back with a question regarding ftp jailing.

I have looked through the links below and got this far.

I can edit the ftpchroot file and add a user name and it works the ftp account is jailed.

I then remove it from the ftpchroot file and edit the login.conf and place the words ftp-chroot on a line and I believe this will jail all users ftp accounts.

It this correct?. The reason I say this because the secoond method does not jail the ftp users and allows them to traverse the directories as they please.

I guess this is something do do with user levels when an account is created.

A little help and explanation would be great thanks.

Pico.

-------------------------------------------

open bsd faq

By default, when logging in by ftp, users can change to any directory on the filesystem that they have access to. This may not be desirable in some cases. It is possible to restrict what users may see through ftp sessions by chrooting them to their home directory.

If you only wish to allow chrooted ftp logins, use the -A option to ftpd(8).

If you wish to apply them more finely, OpenBSD's login capability infrastructure and ftpd(8) together make this easy.

Users in a login class with the ftp-chroot variable set are automatically chrooted. Additionally, you can add a username to the file /etc/ftpchroot to chroot those usernames. A user only needs to be listed in one of these locations.

ftp-chroot A boolean value. If set, users in this class will be auto-
matically chrooted to the user's login directory.
Reply With Quote