Re: chrooted ftpd?

To: tech-userlevel%netbsd.org@localhost
Subject: Re: chrooted ftpd?
From: der Mouse <mouse%Rodents-Montreal.ORG@localhost>
Date: Thu, 23 Jun 2011 15:08:09 -0400 (EDT)

> As Christos pointed out, the traditional ftp is intended to run as
> root so it can itself do chroot() calls.  Otherwise, ftpchroot isn't
> going to accomplish much.

Yeah, I came to that conclusion myself.  I added code so that it
doesn't bother doing the chroot call if the string that would be passed
to it is "/", so it doesn't get gratuitous errors, but that's a frill.

For my purposes I abandoned making the user a chroot user.

>> (Turns out an entry in ftpchroot doesn't allow access without an
>> entry in ftpusers too.)
> That sounds like a condition that should be logged, because it's a
> config error.  But probably it never gets as far as even opening
> ftpchroot.

I'm not sure - I no longer have the trace file - but I think ktrace
said it did.

>> Turns out getpwent() refuses to even _try_ to read spwd.db unless
>> geteuid() returns zero!!
> I expect the intent was to protect fools who write their own code
> using getpwent, run it unprivileged, and try to chmod 644 to make it
> work without thought for the consequences.

Hm, possibly.  It's the first scenario I've seen mentioned where that
bit of code actually protects against something.

> Seems misguided though as that grade of fool will just do chmod +s
> instead.

True, but then the attacker is restricted to finding holes in said
fool's code, rather than being able to just waltz off with a copy of
spwd.db.  (Admittedly, finding holes in code written by that grade of
fool is probably about as difficult as copying a mode 644 file.)

> You might be able to use nsswitch.conf to have it get passwords from
> elsewhere, although I don't think there any of the currently
> supported alternate methods are simple.

Possibly.  But, as I think I mentioned upthread, I realized on reading
the code that spwd.db and pwd.db have the same structure - the code to
read the db doesn't know or care which it's reading - so I just renamed
spwd.db to pwd.db and made it mode 644.  It's an additional step every
time something needs to change the ftp root's master.passwd, but that's
acceptable in this case.

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML                mouse%rodents-montreal.org@localhost
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

References:
- chrooted ftpd?
  - From: der Mouse
- Re: chrooted ftpd?
  - From: David Holland

Prev by Date: Re: GSoC Project Progress Update: Apropos Replacement
Next by Date: Re: GSoC Project Progress Update: Apropos Replacement
Previous by Thread: Re: chrooted ftpd?
Next by Thread: ld.elf_so: support ELF symbol versioning (PR/45015)
Indexes:

Home | Main Index | Thread Index | Old Index