Send in your Unix questions today! |
See additional Unix tips and tricks
Often referred to as a "chroot jail" or a "padded cell" because users cannot escape from the directories into which they are put when they log in, the basic concept of a "chroot" (change root) configuration is that a user's working view of the system's file system is dramatically modified so that only some particular directory and its contents is visible, making it appear to be the entire system. In fact, the chroot process involves setting up a mini-OS environment that looks and acts as if it were largely independent of the rest of the system (though, of course, it is not). This allows jailed users to issue an essential set of commands -- whatever commands are required for them to do the work that their jail cell was meant to accomplish. For example, jailed users might need to change directories. If so, the cd command needs to be added to their limited file system. They might need to list files. If so, they need a copy of the ls command.
Providing only the basic commands that jailed users need is not quite enough, however. While it might not be obvious, most basic Unix commands are incomplete in themselves. To function, they make use of a number of shared library files. If your jailed users don't have access to these shared library files, they will not be able to make use of commands like cd and ls, even if you provide these binaries in their a /usr/bin directory. The commands will issue errors attesting to the missing library files and fail.
Each chrooted environment, therefore, needs to contain many of the same directories you would expect to find in the root file system on a typical Unix system -- /usr/bin, /usr/lib, /etc and so on. The commands and libraries you need for any chrooted environment depend on the nature of the application that it will be supporting.
In particular, creating a chrooted ftp site involves both creating a working chrooted environment and then ensuring that your ftp server enforces the restrictions.
FTP-Only Setup
When you are setting up an account that is only to be used for uploading and downloading files, you want to be sure that the account cannot be accessed in any other way. To make an account ftp-only, you need to do two things. First, you assign the account a shell that doesn't permit normal login. You can do this by setting the jailed user's shell to /bin/false or you can create an executable to serve as the user's shell. I prefer to create my own shell by compiling code like this:
main () {
printf("+---------------------------------------+\n");
printf("| This account only provides ftp access |\n");
printf("+---------------------------------------+\n");
exit();
}
|
This "exit only" shell displays an explanatory message to the user and exits. The exit disconnects him from the system. If you use /bin/false, no message is displayed; the user is simply logged off. To permit ftp once the /bin/false or /bin/exitonly "shell" is specified as the user's shell in the /etc/passwd file, you have to add the path for the file to your /etc/shells file -- the file that specifies which shells are allowed to be used with ftp. At this point, the jailed user can ftp files to and from the system, but cannot log in with telnet or ssh. If you test the account by attempting to switch user, you should see something like this:
# su - grilli
+---------------------------------------+
| This account only provides ftp access |
+---------------------------------------+
|
The second part of the process involves setting up the user's chrooted environment. Once he logs in, after all, you do not want him to be able to cd to directories outside the intended jail. This part of the process involves a lot of file copying and permission setting and is described in a section below.
The last and final step is getting your ftp server to treat the ftp-only user as an untrusted (i.e., jailed) guest. In other words, it has to keep the user in the restricted environment established in part two of the setup process. For me, this involved a simple change to wuftpd's configuration file (ftpaccess).
To jail a user or set of users in the ftpaccess file, you need to identify each user individually as a guestuser or the users' group (as defined in the /etc/group) file as a guestgroup. For example, if your jailed users are members of a guests group (e.g., "guests::8080:" in the /etc/group file), you would use a line like this in your ftpaccess file:
If you prefer to list your jailed users individually, you would use a
syntax like this:
guestuser sal loretta danny grilli
|
When one of your jailed users makes an ftp connection to your system,
he will see something like this:
> ftp chrooting.host.net
Connected to chrooting.host.net.
220 owl FTP server (Version wu-2.6.2(6) Fri Apr 8 02:34:57 EDT 2004) ready.
User (owl.host.net:(none)): grilli
331 Password required for grilli.
Password:
230 User grilli logged in. Access restrictions apply.
|
Note the "Access restrictions apply" warning.
If a cd command is supplied (e.g., if you have set up separate downloads and uploads directories and provided a cd and ls commands), the chrooted environment will allow the user to move around in his limited file space:
ftp> cd downloads
250 CWD command successful.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
download.me.file
download.me2.file
|
If the user attempts to cd to your root file system, on the other hand, he will actually be moving into the root directory for his chrooted file system.
ftp> cd /
250 CWD command successful.
ftp> ls
200 PORT command successful.
550 No files found.
ftp>
|
This is the effect you want. Chrooted users can't go wandering around the file system looking at downloading files they don't need to see.
Next week, we'll look at techniques and scripts for setting up a chrooted environment.
