stop ftp users climbing out of the home dir

[jakewilliamson]

hello,

been setting up my mac to host at home and run into a bit of a security thing with ftp serving. the machines a g4 400 running jag 10.2.4

i've set up a seperate ftp user and used the netinfo manager to change their 'home' directory to the folder i want to share on another volume.

the user can log in and upload/download files - cool!

the problem is they can climb back up the directorys and get into any of the other mounted disks! this is not good...

how do i restrict the user to just their 'home' folder?

thanks out there,

jake

[corinthian]

The ftp server on 10.2 is, in a word, broken. It does not support the chroot command, which allows you to change an ftp user's root directory, hence blocking them from climbing higher in the directory structure.

I found and built/installed a copy of ftpd (the daemon which serves FTP services) which does support chroot, and I'm happy again. Sorry, but I don't remember where I found the source.

[g4macuser]

try a shareware app called SharePoints. it allows you to specify a folder to share and the permissions for it. i had the same issues with ftp. i didn't like the idea that someone could look at all my crap. i inter found this app and can set up a folder to be shared. i can set it so a guest can read, read/write, or do nothing to a folder. sharepoints rocks. it might not be exactly what you want but it is kind of a work around it.

look on versiontraker.com for it

[jakewilliamson]

hi,

thanks for the replys.

cant belive that apple have built in something like ftp and made in so inflexable and insecure?! seems silly when they go to the effort of the whole 'home directory and a drop box' mentality and chuch in a firewall...

gonna check out the 'SharePoints' app (found it at http://www.hornware.com/) and give it a go. from what i've read this is a file sharing thing rather than a ftp protocal? sounds interesting..

cheers for the help, if i find another solution i'll chuck it in a message,

cheers,

jake

[jkp23]

could somebody write a how-to regarding upgrading to this more functional version of the ftp server? sounds like anyone wishing to run an ftp on their mac would want to do this.

[dafuser]

Quote: Originally posted by jkp23 could somebody write a how-to regarding upgrading to this more functional version of the ftp server? sounds like anyone wishing to run an ftp on their mac would want to do this.

Why not try installing PROFTPD? It's a UNIX ftp program which allows you to restrict users to their own directories based on userID or group. It has an Apache type of config file which is pretty straight forward.

I have installed it on several Solaris machines without problems. I would think you could compile and install it on OS X, but I could be wrong. I'll try to install it later tonight.

http://proftpd.linux.co.uk/

[dafuser]

Quote: Originally posted by jkp23 could somebody write a how-to regarding upgrading to this more functional version of the ftp server? sounds like anyone wishing to run an ftp on their mac would want to do this.

Yep, compiles and installs just fine on my TiPowerBook running 10.2.4. You'll need the Apple developers software installed so you can compile and install ProFTPD. It should give you the control you want for your FTP users.

[jkp23]

do you need to unistall the standard ftp server? will the two conflict?

[jakewilliamson]

sounds good! i'll try it out this evening...

one thing, i'm not sure if i've even 'compiled' software before. i've got the dev tools installed, so no problem there.

i'm guessing i need to download the source files from the ftp server, but which one! the server at:

ftp://ftp.proftpd.org/distrib/source/

shows a whole bunch of files (theres a 1.2.8 and 1.2.7 version?).

hopefully a good solution to the problem - still cant believe apple made the built in ftp so useless....

thanks out there!

p.s. the weasel signatures the money!

[g4macuser]

where do you get the dev tools or the dev cd from?

[jkp23]

i believe that they come with OS X or Jaguar when you buy it.

[dafuser]

Quote: Originally posted by jakewilliamson sounds good! i'll try it out this evening... one thing, i'm not sure if i've even 'compiled' software before. i've got the dev tools installed, so no problem there. i'm guessing i need to download the source files from the ftp server, but which one! the server at: ftp://ftp.proftpd.org/distrib/source/ shows a whole bunch of files (theres a 1.2.8 and 1.2.7 version?).

Look under current versions near the top left of the ProFTPD main page. You want the 1.2.7 version, click on the gz link.

The developer tools will install the Apple complier which you need to install ProFTPD. I guess they may be on your original CD's, or you can sign up as a developer on the Apple Developer site and download them.

Hope you have a fast connection, the tools are a big download.

[dafuser]

Quote: Originally posted by jkp23 do you need to unistall the standard ftp server? will the two conflict?

The two programs won't conflict. Read the INSTALL file for instructions on how to configure, complie, and install ProFTPD.

[Baron Bosse]

They won't conflict, but if you want to you can also set inetd/xinetd to use proftpd instead of ftpd so that the server doesn't have to be on when there are no users connected (and so you can turn the server on/off in the sharing preferences pane in system prefs)

I just changed my /etc/xinetd.d/ftp file to point to /usr/local/sbin/proftpd instead of the normal ftpd daemon.

You also have to conf. proftpd to know it's being run from inetd/xinetd (very easy, says exactly how in the proftpd.conf example, I think)

I believe there are some article(s) on this subject in the macosxhints database too.

[jkp23]

is there no way of reconfiguring the existing ftp service then? surely they didnt just include a duff ftp install, just misconfigured it?

also, i'm not sure i like the idea of messing with xinetd.d/ftp. wont this get rewritten over when you update the system? i suppose you could just write a post-sys-upgrade script to put things write again. im a believer that with x, an install that is a vanililla as poss is going to cause less trouble. correct me if im wrong in this case please.

[jakewilliamson]

hi just found this:

http://www.mneptok.com/software/osx/

a version ProFTPd 1.2.4 with a precomiled installer. look for the proftpd-1.2.4-osx.tgz file.

giving it a go now, i'll let you know how it goes...

jake

[jakewilliamson]

ok, this is what i've cobbled together using a load of stuff from these links:

http://www.macosxhints.com/article.p...11105072813797
http://www.macosxhints.com/article.p...20824214006348
http://www.macosxhints.com/comment.p...der=&pid=12933
http://home.earthlink.net/~dgreuel/howto.html

this was written in a hurry, i'll tidy it up at some point! it allows me to login with my username and password and ONLY see my home dir. i cant climb back up or do anything else. in addition, i've created a new user and changed their home directory to a folder on another drive using the netinfo manager - this also works!!

here goes.. (excuse the copy and paste from the above articles for the time being)

1) get ProFTPd

In a terminal window, type (without "%", which represents the prompt):

% curl -O ftp://ftp.proftpd.org/distrib/source...d-1.2.7.tar.gz

when its finished, look in your home directory and you should have a file called 'proftpd-1.2.7.tar.gz'

to get the source code. Then type

% tar xvfz proftpd-1.2.7.tar.gz

again, look in your home and the directory 'proftpd-1.2.7' should be there.

2) compile and install

type the following

% cd proftpd-1.2.7
% ./configure
% make
% sudo make install

loads off text go by... (get a beer).

3) set up ProFTPd

turn off ftp access in the 'sharing/services' preference panel. in the terminal type the following:

% sudo pico /etc/xinetd.d/ftp

which will open a file looking like this:

service ftp
{
disable = yes
socket_type = stream
wait = no
user = root
server = /usr/libexec/ftpd
server_args = -l
groups = yes
flags = REUSE
}

into the pico text editor. edit the line:

server = /usr/libexec/ftpd

to this:

server = /usr/local/sbin/proftpd

and change the line:

server_args = -l

to this:

server_args = -c /etc/proftpd.conf

do control x and say y followed by enter to save the file and exit pico. go back and turn off ftp access in the 'sharing/services' preference panel.

4) set up the ProFTPd configuration file

in the terminal type:

sudo pico /usr/local/etc/proftpd.conf

to open up the configuration file. edit it to look like this:

# This is a basic ProFTPD configuration file.
# this basic configuration is for use with mac osx and proftpd 1.2.4

# provides basic replacement of OSX built-in FTP functionality
# unix user only login, user complete read/write/chmod with unix permissions

# this conf adds chroot to home and the ability to not require a valid shell

ServerName "ProFTPD"
ServerType inetd
DefaultServer on

# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

# Set the user and group that the server normally runs at.
User nobody
Group nobody

# Normally, we want files to be overwriteable.
<Directory /*>
AllowOverwrite on
</Directory>

# change user's root to home and other global variables
<Global>
DefaultRoot ~
DeleteAbortedStores on
ExtendedLog /var/log/proftpd.log
AllowOverwrite on
RequireValidShell off
</Global>

<Limit SITE_CHMOD>
AllowAll
</Limit>

you can put anyname you like in the 'ServerName'. my understanding is this only allows the machine users to login, it doesn?t allow anonymous logins.

i think i've covered everything! gonna try this on another machine at work tomorrow to double check...

going to bed now, it's late, too late...

[jakewilliamson]

related question:

is there any way to log in using ssh and start/stop ftp using the terminal?

thinking about it, can you start/stop any of the other services in os x using the terminal?

was thinking if it was possible to instal ProFTPd on a remote machine...

cheers,

jake

[mervTormel]

% man proftpd

% man ftpshut

[jakewilliamson]

hmmm... just tried the install on the machine at work. get this error at the ./configure terminal command:

configure: error: no acceptable cc found in $PATH

the only difference between this and the system and the one at home is this is an upgrade from 10.1 to 10.2.4 (ie the 1st release of osx, then we got the jaguar cd - rather than reinstalling i just upgraded).

get back to you if i find anything.

in addition, some of the urls have been 'chopped' up so i've put the txt file on a server if anyone would like to read it:

http://www.28design.co.uk/jake/proFT...tall_instr.txt