From Marco Iannacone on the comp.unix.questions newsgroup on 9 Jun 1997
It looks like I never answered this question. (I'm going through my old archives).
Hi James, how you doing?
I'm writing to you as The Answer Guy 'cause I have some problem with setting up the guest trick with wu-ftpd. What I mean is to have a chrooted enviroment for some special user with their home directory and user-id and password.
I'm using Slackware '96 Linux with the wu-archive-ftp that comes already compiled with it.
This is what I did:
I think this is supposed to be
/home/ftp/./user-foo
... if you want the guestgroup directive in wu-ftpd's ftpaccess file to chroot to /home/ftp and initially place this user in the/home/ftp/user-foo directory.
I don't recall whether the "ftponly" (or whatever you call your "guestgroup" group) has to be that user's primary group (the one listed in /etc/passwd) or whether it can be one of the supplemental groups (as listed in /etc/group)
...
path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
....
guestgroup guest
[root]:/home/ftp>ls -la total 104 dr-xr-xr-x 9 root root 512 Jun 2 14:01 . drwxrwxr-x 6 user-foo guest 512 Jun 3 13:54 user-foo dr-xr-xr-x 2 root root 512 Jun 3 09:45 bin
Now the ftp server is running fine (both with normal and anonymous users) and even the chrooted enviroment for guest is working fine: the user can login, upload and download files and it is locked in that directory... i.e. can go in all the subdirectory but can't go up. So it is perfect!
The only problem is that ls and dir are not working and he can only list files using nlist.
For example:
Name (localhost:root): user-foo 331 Password required for user-foo. Password: 230 User amex logged in. Access restrictions apply. ftp> nlist 200 PORT command successful. 150 Opening ASCII mode data connection for file list. bin .profile etc .rhosts .forward .sh_history test-directory test-file.txt 226 Transfer complete. ftp> dir 200 PORT command successful. 150 Opening ASCII mode data connection for '/bin/ls'. 226 Transfer complete. ftp> ls 200 PORT command successful. 150 Opening ASCII mode data connection for '/bin/ls'. 226 Transfer complete. ftp>quit
What am I missing? how can I allow him to do ls and dir? Note: i'm sure that the new ls is working:
[root@Goliath /home/ftp/user-foo//bin]#./ls compress cpio gzip ls sh tar [root@Goliath /home/ftp/user-foo/bin]#
and that is statically linked:
[root@Goliath /home/ftp/user-foo/bin]#ldd ./ls Statically linked (ELF) [root@Goliath /home/ftp/user-foo/bin]#
Thanks a lot, Marco
Everything else sounds right to me.
Naturally I hope you've long since solved this problem. I just hate to leave a question unanswered.
Incidentally, you might look at ncftpd (a newer FTP daemon from Mike Gleason, author of the popular ncftp client). ncftpd allegedly offers better options for locking users into their home directories and it contains built-in support for 'ls' and similar commands.
ncftpd is shareware, rather than freeware, and Mike wants $40 (US) for small servers (50 concurrent sessions or less) and about $200 for larger servers.
However you can evaluate the whole package for free. Start by taking a look at:
http://www.probe.net/~mgleason/ncftpd/
... or at:
http://www.ncftp.com/
... and reading about the features list.
Naturally this hasn't been around as long as wu-ftpd, and the sources don't seem to be openly available. So ncftpd doesn't benefit from the informal process of code review that we take for granted for most Linux networking packages.
(This informal process of auditing does not seem to have been terribly effective, however, since we still find new security problems in code that's been free for decades. For this reason there are have a couple of more organized and formal efforts --- the OpenBSD project and the Linux Security Audit http://www.att.net/~Bandit2006/ to name the two with which I'm familiar).