|
stop ftp users climbing out of the home dir
hello,
been setting up my mac to host at home and run into a bit of a security thing with ftp serving. the machines a g4 400 running jag 10.2.4 i've set up a seperate ftp user and used the netinfo manager to change their 'home' directory to the folder i want to share on another volume. the user can log in and upload/download files - cool! the problem is they can climb back up the directorys and get into any of the other mounted disks! this is not good... how do i restrict the user to just their 'home' folder? thanks out there, jake |
The ftp server on 10.2 is, in a word, broken. It does not support the chroot command, which allows you to change an ftp user's root directory, hence blocking them from climbing higher in the directory structure.
I found and built/installed a copy of ftpd (the daemon which serves FTP services) which does support chroot, and I'm happy again. Sorry, but I don't remember where I found the source. |
try a shareware app called SharePoints. it allows you to specify a folder to share and the permissions for it. i had the same issues with ftp. i didn't like the idea that someone could look at all my crap. i inter found this app and can set up a folder to be shared. i can set it so a guest can read, read/write, or do nothing to a folder. sharepoints rocks. it might not be exactly what you want but it is kind of a work around it.
look on versiontraker.com for it |
hi,
thanks for the replys. cant belive that apple have built in something like ftp and made in so inflexable and insecure?! seems silly when they go to the effort of the whole 'home directory and a drop box' mentality and chuch in a firewall... gonna check out the 'SharePoints' app (found it at http://www.hornware.com/) and give it a go. from what i've read this is a file sharing thing rather than a ftp protocal? sounds interesting.. cheers for the help, if i find another solution i'll chuck it in a message, cheers, jake |
could somebody write a how-to regarding upgrading to this more functional version of the ftp server? sounds like anyone wishing to run an ftp on their mac would want to do this.
|
Quote:
I have installed it on several Solaris machines without problems. I would think you could compile and install it on OS X, but I could be wrong. I'll try to install it later tonight. http://proftpd.linux.co.uk/ |
Quote:
|
do you need to unistall the standard ftp server? will the two conflict?
|
sounds good! i'll try it out this evening...
one thing, i'm not sure if i've even 'compiled' software before. i've got the dev tools installed, so no problem there. i'm guessing i need to download the source files from the ftp server, but which one! the server at: ftp://ftp.proftpd.org/distrib/source/ shows a whole bunch of files (theres a 1.2.8 and 1.2.7 version?). hopefully a good solution to the problem - still cant believe apple made the built in ftp so useless.... thanks out there! p.s. the weasel signatures the money! |
where do you get the dev tools or the dev cd from?
|
i believe that they come with OS X or Jaguar when you buy it.
|
Quote:
The developer tools will install the Apple complier which you need to install ProFTPD. I guess they may be on your original CD's, or you can sign up as a developer on the Apple Developer site and download them. Hope you have a fast connection, the tools are a big download. |
Quote:
|
They won't conflict, but if you want to you can also set inetd/xinetd to use proftpd instead of ftpd so that the server doesn't have to be on when there are no users connected (and so you can turn the server on/off in the sharing preferences pane in system prefs)
I just changed my /etc/xinetd.d/ftp file to point to /usr/local/sbin/proftpd instead of the normal ftpd daemon. You also have to conf. proftpd to know it's being run from inetd/xinetd (very easy, says exactly how in the proftpd.conf example, I think) I believe there are some article(s) on this subject in the macosxhints database too. |
is there no way of reconfiguring the existing ftp service then? surely they didnt just include a duff ftp install, just misconfigured it?
also, i'm not sure i like the idea of messing with xinetd.d/ftp. wont this get rewritten over when you update the system? i suppose you could just write a post-sys-upgrade script to put things write again. im a believer that with x, an install that is a vanililla as poss is going to cause less trouble. correct me if im wrong in this case please. |
hi just found this:
http://www.mneptok.com/software/osx/ a version ProFTPd 1.2.4 with a precomiled installer. look for the proftpd-1.2.4-osx.tgz file. giving it a go now, i'll let you know how it goes... jake |
ok, this is what i've cobbled together using a load of stuff from these links:
http://www.macosxhints.com/article.p...11105072813797 http://www.macosxhints.com/article.p...20824214006348 http://www.macosxhints.com/comment.p...der=&pid=12933 http://home.earthlink.net/~dgreuel/howto.html this was written in a hurry, i'll tidy it up at some point! it allows me to login with my username and password and ONLY see my home dir. i cant climb back up or do anything else. in addition, i've created a new user and changed their home directory to a folder on another drive using the netinfo manager - this also works!! here goes.. (excuse the copy and paste from the above articles for the time being) 1) get ProFTPd In a terminal window, type (without "%", which represents the prompt): % curl -O ftp://ftp.proftpd.org/distrib/source...d-1.2.7.tar.gz when its finished, look in your home directory and you should have a file called 'proftpd-1.2.7.tar.gz' to get the source code. Then type % tar xvfz proftpd-1.2.7.tar.gz again, look in your home and the directory 'proftpd-1.2.7' should be there. 2) compile and install type the following % cd proftpd-1.2.7 % ./configure % make % sudo make install loads off text go by... (get a beer). 3) set up ProFTPd turn off ftp access in the 'sharing/services' preference panel. in the terminal type the following: % sudo pico /etc/xinetd.d/ftp which will open a file looking like this: service ftp { disable = yes socket_type = stream wait = no user = root server = /usr/libexec/ftpd server_args = -l groups = yes flags = REUSE } into the pico text editor. edit the line: server = /usr/libexec/ftpd to this: server = /usr/local/sbin/proftpd and change the line: server_args = -l to this: server_args = -c /etc/proftpd.conf do control x and say y followed by enter to save the file and exit pico. go back and turn off ftp access in the 'sharing/services' preference panel. 4) set up the ProFTPd configuration file in the terminal type: sudo pico /usr/local/etc/proftpd.conf to open up the configuration file. edit it to look like this: # This is a basic ProFTPD configuration file. # this basic configuration is for use with mac osx and proftpd 1.2.4 # provides basic replacement of OSX built-in FTP functionality # unix user only login, user complete read/write/chmod with unix permissions # this conf adds chroot to home and the ability to not require a valid shell ServerName "ProFTPD" ServerType inetd DefaultServer on # Port 21 is the standard FTP port. Port 21 # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 30 # Set the user and group that the server normally runs at. User nobody Group nobody # Normally, we want files to be overwriteable. <Directory /*> AllowOverwrite on </Directory> # change user's root to home and other global variables <Global> DefaultRoot ~ DeleteAbortedStores on ExtendedLog /var/log/proftpd.log AllowOverwrite on RequireValidShell off </Global> <Limit SITE_CHMOD> AllowAll </Limit> you can put anyname you like in the 'ServerName'. my understanding is this only allows the machine users to login, it doesn?t allow anonymous logins. i think i've covered everything! gonna try this on another machine at work tomorrow to double check... going to bed now, it's late, too late... |
start/stop ftp using the terminal
related question:
is there any way to log in using ssh and start/stop ftp using the terminal? thinking about it, can you start/stop any of the other services in os x using the terminal? was thinking if it was possible to instal ProFTPd on a remote machine... cheers, jake |
% man proftpd
% man ftpshut |
hmmm... just tried the install on the machine at work. get this error at the ./configure terminal command:
configure: error: no acceptable cc found in $PATH the only difference between this and the system and the one at home is this is an upgrade from 10.1 to 10.2.4 (ie the 1st release of osx, then we got the jaguar cd - rather than reinstalling i just upgraded). get back to you if i find anything. in addition, some of the urls have been 'chopped' up so i've put the txt file on a server if anyone would like to read it: http://www.28design.co.uk/jake/proFT...tall_instr.txt |
hello,
thanks for the comands - would i be right in thinking that i login via ssh and type: % man proftpd % man ftpshut to shut the ftp server down and: % man proftpd % man ftpstart to fire it up again??? no i got it running the last thing i want to do is turn it off perminatly! cheers, jake |
man is the command to access the manual. i think whoever pointed you towards that command was trying to say that they didnt know the answer, but that if you used 'man commandname' you could find out the answer to your question.
hope that helps - though you might have found out by now! |
Quote:
|
think thats it! i thought the dev tools were on this machine, seems to have been deleted (too much house keeping on my part)
i'll give it another go, cheers, jake |
Error when starting (or quitting)
I'm getting an error when starting or quitting the server:
xinetd[4719]: Error reading included directory: /etc/xinetd.d [line=11] I've checked and rechecked the file but am lost. Any ideas? Jim |
chroot in Jaguar
There are detailed instructions for recompiling ftpd w/ chroot support at :
http://www.chezludo.com/ftpchroot.html |
sweet! thanx.
|
pure-ftpd
There's always pure-ftpd, which natively supports chroot:
http://forums.macosxhints.com/showth...threadid=10276 |
FINK
It seems that both proftp, as well as pure-ftp are available as FINK installs. That should save people a lot of trouble. To see what packages are available do this:
% fink list ftp Here are the results: aftp 1.0-1 Manipulate and browse Apple II disk images axyftp 0.5.1-5 FTP client for X with nice and intuitive ... ftp-tls 20020906-3 SSL/TLS enabled replacement for standard ... ftpfiles 20030406-1 Some required system files gftp 2.0.14-3 Multithreaded ftp client for X Windows gproftpd 8.0.3-1 GNOME Frontend for Proftpd standalone lftp 2.6.5-1 Sophisticated command line based FTP client lftp-ssl 2.6.5-1 Sophisticated command line based FTP client ncftp 3.1.5-1 Browser program using ftp protocol proftpd 1.2.8.0-2 Advanced, incredibly configurable and sec... pure-ftpd 1.0.14-1 Efficient, lightweight, and secure ftp se... tftp-hpa 0.26-2 Enhanced port of the BSD TFTP server webmin-proftpd 1.090-1 Webmin module: ProFTPD Server webmin-x-wuftpd 1.090-1 EXTRA Webmin module: WU-FTP Server After looking through them, pure-ftpd seems like the easiest. The other thread linked above has good instructions for using it, that together with the FINK package description provide all the info you will need. (I think - I have to go try it.) |
fink and unstable versions
After lot's of hours spent as total newbie in fink :rolleyes: , there are some points i want to mention. Use fink configuration which seeks also for unstable vers., because otherway there wont be proftp package when listing. To do this type
%fink configuration and when asked whether use unstable versions type "y" and return. Other files I left default. You may also find usable that mac developer tools are now called XCode. |
oh... I read my own post today and I'm sorry for that terrible blunders... lot's = lots, wont = won't
and also I want to know if there is anyone here who was able to use external file for user-config. AuthUserFile didn't work for me for some reason. |
| All times are GMT -5. The time now is 09:06 PM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.