[HOWTO] - Setup a chroot jail for your FTP users (10.0-10.1.x only)

Discussion in 'HOWTO & FAQs' started by Jadey, Feb 3, 2002.

  1. Jadey

    Jadey sosumi

    Joined:
    Apr 14, 2001
    Messages:
    770
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    CANADA
    This How-to will explain how to restrict your FTP users to their home directory, so they won't be able to look at any directories higher than their own.

    Launch Terminal (in Applications -> Utilities)

    type: cd /etc
    sudo pico ftpchroot

    Type the valid usernames of people in this file that you want to be restricted to their own directory when they FTP into their machine. Separate each entry by a carriage return. This file will look simply like this:

    ebunny
    sclaus
    tfairy

    Then save the file by holding down the Control key and hitting X. This will create the file ftpchroot in the /etc directory.

    Now restart your FTP server by turning it off then on again in your Sharing Control panel. Done!
     
  2. symphonix

    symphonix Scratch & Sniff Committee

    Joined:
    Jul 18, 2001
    Messages:
    4,018
    Likes Received:
    1
    Trophy Points:
    0
    Occupation:
    IT Support (Healthcare)
    Location:
    The Australian Jungles
    Is there a MOTD (Message of the Day) file for FTP, so I can have a message appear when someone logs in with a simple FTP client?
     
  3. blb

    blb `'

    Joined:
    Apr 9, 2001
    Messages:
    651
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    CO, USA
    There are several, depending on circumstance.

    /etc/ftpwelcome is printed to all connections prior to asking for username/password.

    /etc/ftpmotd is printed after a successful login by a user who isn't in /etc/ftpchroot.

    ~/etc/ftpmotd is printed after a successful login by a user who is in /etc/ftpchroot, since they've been chroot'ed to their home (~) directory.
     
  4. symphonix

    symphonix Scratch & Sniff Committee

    Joined:
    Jul 18, 2001
    Messages:
    4,018
    Likes Received:
    1
    Trophy Points:
    0
    Occupation:
    IT Support (Healthcare)
    Location:
    The Australian Jungles
    Thanks! Thats just what I needed!
     
  5. dani++

    dani++ usin UNIX since '92

    Joined:
    Oct 9, 2000
    Messages:
    249
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Barcelona, Catalonia - Spain
    Does this work for sftp too?
     
  6. mdkia

    mdkia Registered

    Joined:
    Mar 8, 2002
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    italy
    hi,
    i was searching on deja.com to find an answer to the ftp 'jail' question, i found it here, i registered with the forum and i tried what you suggested ...i think i made everything ok, but on my mac ...it doesn't work!:(
    i made it and then (i'm in office now) i tried to log in my ftp (mac os x server) with one of the user names i wrote in the ftpchroot file ...but i can still see the other directories.
    one of my users is 'andrea' and another one is 'gigi' ...if i log in with the user 'andrea', i can navigate also in 'gigi' directory!:(

    i think i made some mystakes!:(


    ciao
     
  7. Jadey

    Jadey sosumi

    Joined:
    Apr 14, 2001
    Messages:
    770
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    CANADA
    Someone else private messaged me about using this with Mac OS X server. I haven't ever used the server, and I don't know if the same FTP server is used or not. What FTP server is installed with Mac OS X server?
     
  8. mdkia

    mdkia Registered

    Joined:
    Mar 8, 2002
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    italy
    thanks for your reply ...i don't know which ftp server is, but btw i gave it up becuase i can't spend a lot of time with it ...:(
    ps: may i ask you smth. else?
    if in mac os x (not server) i start the ftp in system preferences (i think ...becasue my os is italian and i'm not sure of the translation) how i can add users? ...with the normal users control panel, the same used for the login screen? ...it's not comfortable ...i mean ...i want to decide myself where the new user have his home directory ...

    maybe it's a stupid question ...and if it's so ...sorry, but i'm newbie with mac ...i always used pc (for ftp and web servers too)!:)

    thanks again
    marco
     
  9. mdkia

    mdkia Registered

    Joined:
    Mar 8, 2002
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    italy
    thanks again, i created the ftp jail and it works perfectly, and also the 'remote login' (i think, i repeat that mine is italian) is off!:) ...i promise that for today this will be my last question!:))) :
    i have 3 partitions on my imac, and one is completely empty ...i want to make the ftp users to use this empty parition (because now the partiton they use is in my system disk (users) ...is it possible ...i mean to move the users ftp directories (ie 'andrea' and 'gigi') from my system partition to the empty one?


    really thanks again, and sorry for my poor english!:)
     
  10. mdkia

    mdkia Registered

    Joined:
    Mar 8, 2002
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    italy
    thanks!:)
    i will try to do it in the afternoon (now i'm not at home) logging in as root, i think it's more easy if i only need to drag and drop the user folders ...


    ciao
    marco
     
  11. mdkia

    mdkia Registered

    Joined:
    Mar 8, 2002
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    italy
    i made it and it works!:)

    grazie!


    ciao
    marco
     
  12. HeavyC

    HeavyC Registered

    Joined:
    Oct 27, 2002
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    0
    When I follow those instructions and try to log on as the specified FTP user, I get an error message about being unable to change roots. What is the problem? What have I done wrong?
     
  13. gatorparrots

    gatorparrots ~departed~

    Joined:
    Jul 10, 2002
    Messages:
    459
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Kansas City, MO
    This thread is outdated. It is correct for OS X 10.1.x, but is not applicable for 10.2.

    OS X 10.2 no longer uses ftpd 6.00LS; instead Apple is using lukemftpd. However, their documentation has not been updated to reflect this change. In other words, chroot is badly broken and the ftpwelcome, ftpchroot, ftpusers files are all no longer used to configure the ftp daemon.

    I actually replaced the FTP daemon altogether, as it was useless to me and didn't offer the features I needed (DOCUMENTATION, chroot, bandwidth throttling, quotas, etc.). I think you'll find that the easiest course to take. Give it a try:

    http://www.pureftpd.org
     
  14. gatorparrots

    gatorparrots ~departed~

    Joined:
    Jul 10, 2002
    Messages:
    459
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Kansas City, MO

Share This Page