1

On a Debian Wheezy 64bit, I create a new user for a customer to place files into a directory. After the user is created, I take away his interactive login by replacing /bin/bash with /bin/false in /etc/passwd. Then I add him to /etc/ftpchroot, so that his session will be chrooted to his home directory.

However, as soon as I add the user to /etc/ftpchroot, when the user logs in, he cannot see any files. The user is chrooted, he cannot traverse upwards. He can upload files, which are stored in the correct directory, and with 640 permissions and thatuser:thatusersgroup ownership.

My thoughts so far:

  • /etc/ftpchroot is clearly doing something, and doing, what it should do.
  • Any user created on that machine have this problem (tried twice with other new users)
  • It's not directory dependent. Altering his home directory and chrooting to there shows the same problem.

It's strange to me as I have done this quite a few times before, and I have never encountered this. Sadly, googling for an answer is difficult for it's problematic problem description.

Edit 1: Something I'm seeing now. Logging in while under ftpchroot, no message is displayed when the login successfully completes. However, logging in without ftpchroot, /etc/motd is displayed after completing the authentication.

Edit 2: I've kinda worked around the problem by installing inetutils-ftpd. It brought along PAM authentication, and after configuring that, it logs in the very same user without the mentioned problem, and he can upload and see his files with no problem.

Dabu
  • 359
  • 1
  • 5
  • 23
  • What FTP server are you using? Some FTP servers can be configured to provide a "write-only" permission. For example: http://serverfault.com/a/24375/15440 – pepoluan Dec 06 '13 at 14:56
  • I am using `ftpd`, started via `inetd` superserver as `in.ftpd`. It looks similar, but as my problem is triggered by adding users to `/etc/ftpchroot`, I'd doubt that this could be my problem. – Dabu Dec 06 '13 at 14:58
  • Hmm... can you post the (sanitized) contents of your `ftpaccess` file? – pepoluan Dec 06 '13 at 15:05
  • I do not have such a file. What is it used for? The manual for `ftpd` doesn't specify what the file does. – Dabu Dec 06 '13 at 15:08
  • We're not into product suggestion, but you may want to try `vsftpd` from my experience, it's easier to setup, more secure, and more tunable. – mveroone Dec 06 '13 at 15:58

1 Answers1

1

When you're using chroot, any binaries you want to use within the chroot must exist within that chroot. In the case of ftpchroot, this usually means that the ftpd needs to have ls capabilities within its own binary rather than relying on the /bin/ls of the system, otherwise each user would have to have their own $HOME/bin/ls.

So the solution is to use an ftp daemon that has ls built-in (or to re-compile it with --ls-included, or whatever the appropriate option would be for this particular ftp daemon).

mveroone
  • 474
  • 7
  • 22
Jenny D
  • 27,780
  • 21
  • 75
  • 114
  • If that is the case, the standard ftpd (from the Debian repo) has been compiled with ls support, as I am sure this always worked. How would I determine if it has been compiled with ls support, when I only have the binaries installed? – Dabu Dec 06 '13 at 15:53
  • I don't have a Debian system handy to check, but I'd start with seeing whether `man ftpd` gives any hints. – Jenny D Dec 06 '13 at 16:03