2. Setting up a chrooted Secure Anonymous ftp server.
Description
This article is from the Anonymous FTP FAQ, by Christopher Klaus cklaus@iss.net with numerous contributions by others.
2. Setting up a chrooted Secure Anonymous ftp server.
This part was contributed by Marcus J Ranum <mjr@tis.com>
1. Build a statically linked version of ftpd and put it in ~ftp/bin. Make sure it's owned by root.
2. Build a statically linked version of /bin/ls if you'll need one. Put it in ~ftp/bin. If you are on a Sun, and need to build one, there's a ported version of the BSD net2 ls command for SunOs on ftp.tis.com: pub/firewalls/toolkit/patches/ls.tar.Z Make sure it's owned by root.
3. Chown ~ftp to root and make it mode 755 THIS IS VERY IMPORTANT
4. Set up copies of ~ftp/etc/passwd and ~ftp/etc/group just as you would normally, EXCEPT make 'ftp's home directory '/' -- make sure they are owned by root.
5. Write a wrapper to kick ftpd off and install it in /etc/inetd.conf The wrapper should look something like: (assuming ~ftp = /var/ftp)
main()
{
if(chdir("/var/ftp")) {
perror("chdir /var/ftp");
exit(1);
}
if(chroot("/var/ftp")) {
perror("chroot /var/ftp");
exit(1);
}
/* optional: seteuid(FTPUID); */
execl("/bin/ftpd","ftpd","-l",(char *)0);
perror("exec /bin/ftpd");
exit(1);
}
Options:
You can use 'netacl' from the toolkit or tcp_wrappers to achieve the same effect.
We use 'netacl' to switch so that a few machines that connect to the FTP service *don't* get chrooted first. This makes transferring files a bit less painful.
You may also wish to take your ftpd sources and find all the places where it calls seteuid() and remove them, then have the wrapper do a setuid(ftp) right before the exec. This means that if someone knows a hole that makes them "root" they still won't be. Relax and imagine how frustrated they will be.
If you're hacking ftpd sources, I suggest you turn off a bunch of the options in ftpcmd.y by unsetting the "implemented" flag in ftpcmd.y. This is only practical if your FTP area is read-only.
6. As usual, make a pass through the FTP area and make sure that the files are in correct modes and that there's nothing else in there that can be executed.
7. Note, now, that your FTP area's /etc/passwd is totally separated from your real /etc/passwd. This has advantages and disadvantages.
8. Some stuff may break, like syslog, since there is no /dev/log. Either build a version of ftpd with a UDP-based syslog() routine or run a second syslogd based on the BSD Net2 code, that maintains a unix-domain socket named ~ftp/dev/log with the -p flag.
REMEMBER:
If there is a hole in your ftpd that lets someone get "root" access they can do you some damage even chrooted. It's just lots harder. If you're willing to hack some code, making the ftpd run without permissions is a really good thing. The correct operation of your hacked ftpd can be verified by connecting to it and (while it's still at the user prompt) do a ps-axu and verify that it's not running as root.
Continue to:
My Books
