Defcon1-Header
Tool-BarfreeBSD ArticlesSearch Our SiteHOMEfreeBSD LinksContribute to FreeBSD HelpFreeBSD FilesFreeBSD Script Corner

How to chroot users with wu-ftpd

I wanted to chroot users on a web server so they could not leave their home directories. I had been told that you could do it with the standard fbsd ftpd, but I would have to recompile it with the INTERNAL_LS=YES for the make. I had no luck even after cvsup'ing the -STABLE source. Instead of fighting the standard ftpd more, I decided to try wu-ftpd. First off, wu-ftpd has had a string of exploits lately, so make sure you check the wu-ftpd site for any security advisories and updates. Also cvsup your ports so you have the latest version and patches of the wu-ftpd port.

I thought I would give you some nice detailed instructions on how to install this with the right flags, but it seems that wu-ftpd is in the process of moving to autoconf. This is what worked for me. You need to do the make with the --enable -ls flag for it to be able to list the files in the dirs once a user is chrooted. You can download the tarball and untar it, then cd into that dir. Type ./configure --enable-ls to get it started. Then I did a ./build fbs to make it for fbsd. Then I manually installed the bin by cd'ing into bin and copying over the ftpd to /usr/local/libexec. Please understand that I had already installed the port to find out that it didn't have internal ls enabled. You can also do a ./build install after the ./build fbs to install the files. 

You will now need to have your system call the wu-ftpd instead of the standard ftpd. Edit your /etc/inetd.conf to have the line:

ftp   stream tcp   nowait root  /usr/local/libexec/ftpd ftpd -a -L

(this may be different for you depending on tcp wrappers and such)

You will need to kill -HUP `cat /var/run/inetd.pid` to have you system start using the new inetd.conf.

The /usr/local/etc/ftpaccess file is very important for being able to chroot a user. This file. You can tweak alot of settings here, and I really think you should spent some time in man ftpaccess, but we just want the info for chroot'ing for now. You should find a ftpaccess.sample in you /usr/local/etc dir to get you started.

You need a line in the /usr/local/etc/ftpaccess that reads

guestuser <username or group name>

This tells wu-ftpd to treat any users who are listed or members of groups listed as guests and allow them to ge chrooted in the passwd file.

In your passwd file you need to set the user's home dir ending with a /. You can also specify the dir you want then in when they log in, other than the one you chrooted them to.

 Here is an example:

ftptest:*:1001:1001:ftptest:/usr/home/ftptest/./:/etc/ftponly

The above will chroot the user to the dir /usr/home/ftptest. They will not be a
ble to cd above that.

ftptest:*:1001:1001:ftptest:/usr/home/ftptest/./public_html:/etc/ftponly

This will chroot the user to /usr/home/ftptest but will cd them into
/usr/home/ftptest/public_html

This is useful for a webserver, as it makes the user have to do as little as pos
sible, just upload webpages.


Webpages to look at for more info:
http://www.wu-ftpd.org
http://www.landfield.com/wu-ftpd

Also, don't forget what a use the man pages can be. man is your friend.

© 1997 - 20013 Defcon1, www.defcon1.org , Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission of www.defcon1.org and the content's original author.

Defcon1-Header2
Tool-Bar-2Defcon1  Webmail