Parte 1. proftpd chrooted

To keep your ftp server secure and not to allow your users to browse whole servers’ directories structure you need to restrict ftp users to stay at their home directory. At *nix systems it’s called “chrooted enviroment”. Once a user logins to ftp account, ftp server software changes root’s to the user’s home directory. By this way users can’t go outside of their
directories.To enable this feature at proftpd server you need to use DefaultRoot option at your proftpd.conf configuration file.At general cases it looks as :

	DefaultRoot ~

Another question we’re asked often is “How can I bring directories located somewhere to users’ home directories?”. There’re 3 ways you could do but only one of them is working well. Lets consider them.

Proftpd and symlinks

For example, we have /var/ftp/common directory that we want to bring to /home/alex/common. At not-chrooted enviroment we could have symlink:

    lrwxrwxrwx 1 root root ... /home/alex/common -> /var/tmp/common

But in chrooted enviroment it looks as:

    lrwxrwxrwx 1 root root ... /home/alex/common -> /home/alex/var/tmp/common

Because root for user ‘alex’ is his home directory ‘/home/alex’. That’s why we can’t use symlinks for chrooted server software.

Proftpd and hardlinks

Another way you could do is hard links. But you can’t use that due to 2 reasons:

  • You can’t create hard links for directories
  • You can’t make hard links for files located at different devices (as result at different filesystems as well)

Proftpd and mounting with bind option

There’s only one good way to export resources to chrooted enviroment using mounting directores to several locations in the filesysem. If you want to have an exact duplicate of the /var/ftp/common directory available for user alex at his /home/alex/common, use one these commands:

* Linux (2.4.0 kernels and later):
mount -o bind /var/ftp/common /home/alex/common
mount -o bind /var/ftp/common /home/alex/common
* BSD (as of 4.4BSD):
mount_null /var/ftp/common /home/alex/common    mount_null /var/ftp/common /home/alex/common* Solaris:mount -F lofs /var/ftp/common /home/alex/common    

mount -F lofs /var/ftp/common /home/alex/common

To keep directories mounted permanently you need to add them into /etc/fstab ( or /etc/vfstab for Solaris )

Rendere sicuro proftpd

Lascia un commento

Il tuo indirizzo email non sarĂ  pubblicato. I campi obbligatori sono contrassegnati *