tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: chrooted ftpd?

In article <201106230150.VAA29109%Sparkle.Rodents-Montreal.ORG@localhost>,
der Mouse  <mouse%Rodents-Montreal.ORG@localhost> wrote:
>I'm trying to set up a chrooted FTP area for internal use.  I'm running
>into roadblock after roadblock, and have finally reached the point
>where I'm beginning to wonder if I'm going about this wrong.
>I started out with a chroot area with an etc/inetd.conf containing just
>one line
> stream tcp4 nowait:120 nobody /usr/libexec/ftpd ftpd -ll -d
>Then I started testing and adding things (libraries, mostly) until ftpd
>Next problem was that ftpd doesn't tell even the local logs why it
>denies access, when it does; I had to add debugging syslog() calls to
>figure that out.  (Turns out an entry in ftpchroot doesn't allow access
>without an entry in ftpusers too.)
>Then I ran into the getusershell() idiocy.  I call it idiocy because
>the interface design is cripplingly broken (there's no way to tell it
>"any program is allowed" or "any program in this directory is allowed"
>or any such).  And ftpd has no configuration knob to say "yes, dammit,
>allow this user (or, shell) anyway".  So I ripped that code out.
>Then it exploded, logging
>in openpam_configure(): No required or binding component in service
>ftpd, facility auth
>pam_start: system error
>I was unable to find any documentation on what this meant or what I
>would have to copy over to fix it; in particular, openpam_configure has
>no manpage.  I even googled for "pam" and "chroot" in,
>though I shouldn't have to resort to anything off-system for something
>like this.  It turned up nothing useful anyway.

You are missing /etc/pam.d/ in your chroot. man pam.conf

>Then it wouldn't authenticate because it couldn't read the password
>hash.  So I did a chmod 644 of spwd.db and master.passwd in the chroot.
>It *still* wouldn't authenticate.
>Turns out getpwent() refuses to even _try_ to read spwd.db unless
>geteuid() returns zero!!  And, as far as I can tell, ftpd has no way to
>have it use anything but getpwent() to get passwords.

I think this can be argued to be a bug, but I bet it is there to protect
the user.

>I'd really really prefer to not run ftpd as root inside the chroot.
>Should I just stop even trying to use NetBSD's ftpd and look for
>something a bit saner, or pull out the machete and wade into ftpd?

Unfortunately ftpd is designed to run as root. But if you make getpwent()
to be able to read spwd.db for non-root users, it will probably work.


Home | Main Index | Thread Index | Old Index