tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: chrooted ftpd?

> As Christos pointed out, the traditional ftp is intended to run as
> root so it can itself do chroot() calls.  Otherwise, ftpchroot isn't
> going to accomplish much.

Yeah, I came to that conclusion myself.  I added code so that it
doesn't bother doing the chroot call if the string that would be passed
to it is "/", so it doesn't get gratuitous errors, but that's a frill.

For my purposes I abandoned making the user a chroot user.

>> (Turns out an entry in ftpchroot doesn't allow access without an
>> entry in ftpusers too.)
> That sounds like a condition that should be logged, because it's a
> config error.  But probably it never gets as far as even opening
> ftpchroot.

I'm not sure - I no longer have the trace file - but I think ktrace
said it did.

>> Turns out getpwent() refuses to even _try_ to read spwd.db unless
>> geteuid() returns zero!!
> I expect the intent was to protect fools who write their own code
> using getpwent, run it unprivileged, and try to chmod 644 to make it
> work without thought for the consequences.

Hm, possibly.  It's the first scenario I've seen mentioned where that
bit of code actually protects against something.

> Seems misguided though as that grade of fool will just do chmod +s
> instead.

True, but then the attacker is restricted to finding holes in said
fool's code, rather than being able to just waltz off with a copy of
spwd.db.  (Admittedly, finding holes in code written by that grade of
fool is probably about as difficult as copying a mode 644 file.)

> You might be able to use nsswitch.conf to have it get passwords from
> elsewhere, although I don't think there any of the currently
> supported alternate methods are simple.

Possibly.  But, as I think I mentioned upthread, I realized on reading
the code that spwd.db and pwd.db have the same structure - the code to
read the db doesn't know or care which it's reading - so I just renamed
spwd.db to pwd.db and made it mode 644.  It's an additional step every
time something needs to change the ftp root's master.passwd, but that's
acceptable in this case.

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML      
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Home | Main Index | Thread Index | Old Index