Aqua Phoenix
     >>  References >>  Operating Systems  


2.2 Restricted FTP Access (chroot)

Restricted ftp access accounts are created like regular user accounts with home directories and password/group entries. However, additional steps are required to setup change-root access, so that the home directory becomes the root directory for ftp users.

Basic Account Setup:

  1. Create account directory, e.g. /usr/local/home/ftpuser
  2. Add entry in /etc/passwd (1000 = userid, 100 = groupid)


  3. Add entry in /etc/group, if desirable:


  4. Set password for new user:

    passwd ftpuser

  5. Set permissions for home directory:

    chown ftpuser:ftpgroup /usr/local/home/ftpuser

Additional steps to create a sandbox for ftp login, such that the home directory /usr/local/home/ftpuser becomes the root directory:

  1. Add entry in /etc/ftpusers to restrict access:

    ftpuser restrict

  2. Create the following directories in the ftp user's home directory:

    mkdir /usr/local/home/ftpuser/bin
    mkdir /usr/local/home/ftpuser/dev
    mkdir /usr/local/home/ftpuser/etc
    mkdir /usr/local/home/ftpuser/lib32

  3. Place important ftp commands in appropriate directories:

    cp /sbin/ls /usr/local/home/ftpuser/bin
    cp /dev/zero /usr/local/home/ftpuser/dev
    cp /lib32/ /usr/local/home/ftpuser/lib32
    cp /lib32/rld /usr/local/home/ftpuser/lib32

  4. Create files


  5. Create group entries in /usr/local/home/ftpuser/etc/group:


  6. Create passwd entries in /usr/local/home/ftpuser/etc/passwd without specifying passwords:


  7. Set permissions:

    chown -R root:ftpgroup /usr/local/home/ftpuser/bin
    chown -R root:ftpgroup /usr/local/home/ftpuser/dev
    chown -R root:ftpgroup /usr/local/home/ftpuser/etc
    chown -R root:ftpgroup /usr/local/home/ftpuser/lib32

Note: Permissions for system directories under ftpuser's home directory are set for root in order to protect from removal or modification of files by ftp user using ftp commands. The group and password entries for root are required in order for the sandbox environment to recognize the system file permissions. Passwords are not specified, since they already exist in the system's real passwd file.

Note: This has been tested on an SGI O2. In a 64 bit environment, a library directory may have to be created for lib64 or lib, instead of lib32.

When logging into the system via ftp and using the sandbox ftp account, the logged user will be unable to traverse the directory structure upwards from the home directory, thus protecting the system.