|
|||
ftp jailing ftp-chroot
I'm back with a question regarding ftp jailing.
I have looked through the links below and got this far. I can edit the ftpchroot file and add a user name and it works the ftp account is jailed. I then remove it from the ftpchroot file and edit the login.conf and place the words ftp-chroot on a line and I believe this will jail all users ftp accounts. It this correct?. The reason I say this because the secoond method does not jail the ftp users and allows them to traverse the directories as they please. I guess this is something do do with user levels when an account is created. A little help and explanation would be great thanks. Pico. ------------------------------------------- open bsd faq By default, when logging in by ftp, users can change to any directory on the filesystem that they have access to. This may not be desirable in some cases. It is possible to restrict what users may see through ftp sessions by chrooting them to their home directory. If you only wish to allow chrooted ftp logins, use the -A option to ftpd(8). If you wish to apply them more finely, OpenBSD's login capability infrastructure and ftpd(8) together make this easy. Users in a login class with the ftp-chroot variable set are automatically chrooted. Additionally, you can add a username to the file /etc/ftpchroot to chroot those usernames. A user only needs to be listed in one of these locations. ftp-chroot A boolean value. If set, users in this class will be auto- matically chrooted to the user's login directory. |
|
|||
Thanks for the advice jggimi
Having read a little it became a little clearer in that I was just adding the words ftp-chroot anywhere and it needs to be within the correct area of the file. I have therefore create the user testuser with the default login class I have edited the dafault part of login.conf file to read Code:
default:\ :path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin:\ :umask=022:\ :datasize-max=512M:\ :datasize-cur=512M:\ :maxproc-max=256:\ :maxproc-cur=128:\ :openfiles-cur=128:\ :stacksize-cur=4M:\ :localcipher=blowfish,6:\ :ypcipher=old:\ :tc=auth-defaults:\ :tc=auth-ftp-defaults: :ftp-chroot This really must be a case of wood from the trees here. Last edited by ocicat; 29th March 2010 at 08:42 PM. Reason: adding [code] & [/code] tags |
|
||||
If you would surround code with [code] and [/code], you would not have ASCII converted to unreadable smilies.
As you may not have guessed, login.conf is read by a program, and it needs to have the correct syntax, known in this case as termcap syntax. Lines must have continuation with backslash, and variables must be surrounded by full colons. I have reposted the last three lines, below, and highlighted your errors in the last two lines. Note that I am using [code] and [/code]: Code:
:tc=auth-defaults:\ :tc=auth-ftp-defaults:\ :ftp-chroot: |
|
|||
Works like a charm
I have noted your suggestion and it worked .
Sorry to have wasted your time. I really should have looked and little closer in the morning and not after work when my eyes and brain was fried. I will look into termcap syntax it would be good to know how and what handles these files. Another hurdle in the learning curve but it is all very enjoyable. Regards Pico |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Chroot web-browsing | Oko | OpenBSD Security | 1 | 29th December 2008 01:37 PM |
apache 2.2.8 , is it on chroot by default? | superslot | OpenBSD Security | 9 | 30th June 2008 11:56 AM |
Can't use bash on chroot'd openssh environment | jploh | FreeBSD General | 2 | 18th June 2008 02:12 AM |
chroot/jailing users | Weaseal | FreeBSD Security | 6 | 18th May 2008 07:44 AM |
scponly not working with chroot | hamba | FreeBSD Security | 3 | 15th May 2008 05:18 PM |