DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 29th March 2010
pico pico is offline
Real Name: Pico
Complete openbsd beginner
 
Join Date: Mar 2010
Location: Scotland
Posts: 19
Thanked 0 Times in 0 Posts
Default ftp jailing ftp-chroot

I'm back with a question regarding ftp jailing.

I have looked through the links below and got this far.

I can edit the ftpchroot file and add a user name and it works the ftp account is jailed.

I then remove it from the ftpchroot file and edit the login.conf and place the words ftp-chroot on a line and I believe this will jail all users ftp accounts.

It this correct?. The reason I say this because the secoond method does not jail the ftp users and allows them to traverse the directories as they please.

I guess this is something do do with user levels when an account is created.

A little help and explanation would be great thanks.

Pico.

-------------------------------------------

open bsd faq

By default, when logging in by ftp, users can change to any directory on the filesystem that they have access to. This may not be desirable in some cases. It is possible to restrict what users may see through ftp sessions by chrooting them to their home directory.

If you only wish to allow chrooted ftp logins, use the -A option to ftpd(8).

If you wish to apply them more finely, OpenBSD's login capability infrastructure and ftpd(8) together make this easy.

Users in a login class with the ftp-chroot variable set are automatically chrooted. Additionally, you can add a username to the file /etc/ftpchroot to chroot those usernames. A user only needs to be listed in one of these locations.

ftp-chroot A boolean value. If set, users in this class will be auto-
matically chrooted to the user's login directory.
Reply With Quote
  #2   (View Single Post)  
Old 29th March 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,431
Thanked 214 Times in 189 Posts
Default

Quote:
...and place the words ftp-chroot on a line...
The admin does not randomly add a line with "ftp-chroot" in it. The admin assigns ftp-chroot to a particular login class. Users in that class will be automatically chrooted to their login direction (like /etc/ftpchroot).

If you have users who are not being chrooted, they are not in the class with ftp-chroot assigned in login.conf.

See login.conf(5). If that is not sufficient, post your login.conf for specific assistance.
Reply With Quote
  #3   (View Single Post)  
Old 29th March 2010
pico pico is offline
Real Name: Pico
Complete openbsd beginner
 
Join Date: Mar 2010
Location: Scotland
Posts: 19
Thanked 0 Times in 0 Posts
Default

Thanks for the advice jggimi

Having read a little it became a little clearer in that I was just adding the words ftp-chroot anywhere and it needs to be within the correct area of the file.

I have therefore create the user testuser with the default login class

I have edited the dafault part of login.conf file to read
Code:
default:\
        :path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin:\
        :umask=022:\
        :datasize-max=512M:\
        :datasize-cur=512M:\
        :maxproc-max=256:\
        :maxproc-cur=128:\
        :openfiles-cur=128:\
        :stacksize-cur=4M:\
        :localcipher=blowfish,6:\
        :ypcipher=old:\
        :tc=auth-defaults:\
        :tc=auth-ftp-defaults:
        :ftp-chroot
I have then restarted the system (as I dont know the command line instruction to restart the login.conf file) and testuser is not jailed.

This really must be a case of wood from the trees here.

Last edited by ocicat; 29th March 2010 at 08:42 PM. Reason: adding [code] & [/code] tags
Reply With Quote
  #4   (View Single Post)  
Old 29th March 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,431
Thanked 214 Times in 189 Posts
Default

If you would surround code with [code] and [/code], you would not have ASCII converted to unreadable smilies.

As you may not have guessed, login.conf is read by a program, and it needs to have the correct syntax, known in this case as termcap syntax. Lines must have continuation with backslash, and variables must be surrounded by full colons. I have reposted the last three lines, below, and highlighted your errors in the last two lines. Note that I am using [code] and [/code]:
Code:
:tc=auth-defaults:\
:tc=auth-ftp-defaults:\
:ftp-chroot:
Reply With Quote
  #5   (View Single Post)  
Old 30th March 2010
pico pico is offline
Real Name: Pico
Complete openbsd beginner
 
Join Date: Mar 2010
Location: Scotland
Posts: 19
Thanked 0 Times in 0 Posts
Default Works like a charm

I have noted your suggestion and it worked .

Sorry to have wasted your time.

I really should have looked and little closer in the morning and not after work when my eyes and brain was fried.

I will look into termcap syntax it would be good to know how and what handles these files.

Another hurdle in the learning curve but it is all very enjoyable.

Regards

Pico
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Chroot web-browsing Oko OpenBSD Security 1 29th December 2008 01:37 PM
apache 2.2.8 , is it on chroot by default? superslot OpenBSD Security 9 30th June 2008 11:56 AM
Can't use bash on chroot'd openssh environment jploh FreeBSD General 2 18th June 2008 02:12 AM
chroot/jailing users Weaseal FreeBSD Security 6 18th May 2008 07:44 AM
scponly not working with chroot hamba FreeBSD Security 3 15th May 2008 05:18 PM


All times are GMT. The time now is 03:26 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick