Chrooting FTP users

February 19, 2013 23:07 / Leave a Comment /

The builtin ftp daemon in FreeBSD is able to lock users in secured directories by using chroot and is really simple to setup.

There is a standardgroup called ftp with the groupid 14. Let’s make another group called ftpchroot as well.

pw groupadd ftpchroot -g 15

Then create a filearea where the user should be restricted to.

mkdir /usr/local/ftpchroot
chgrp ftpchroot /usr/local/ftpchroot

Create the user. Note the dot in the user’s homedirectory. This separates the chroot from the dir where to cd into upon login. By setting the directory permissions to 700, other ftpchroot users cannot peek into eachother directories.

# adduser
Username: ftpuser
Full name: Ftpuser
Uid (Leave empty for default): 
Login group [ftpuser]: ftpchroot
Login group is ftpchroot. Invite ftpuser into other groups? []:
Login class [default]:
Shell (sh csh tcsh bash rbash nologin) [sh]: nologin
Home directory [/home/ftpuser]: /usr/local/ftpchroot/./ftpuser
Home directory permissions (Leave empty for default): 700
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password:
Enter password again:
Lock out the account after creation? [no]:
Username   : ftpuser
Password   : *****
Full Name  : Ftpuser
Uid        : 1001
Class      :
Groups     : ftpchroot
Home       : /usr/local/ftpchroot/./ftpuser
Home Mode  : 700
Shell      : /usr/sbin/nologin
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (ftpuser) to the user database.
Add another user? (yes/no): no
Goodbye!

In order for the user to be able to login through ftp, /usr/sbin/nologin must be added to /etc/shells. The file /etc/ftpchroot determines which users should be allowed restricted ftpaccess. It contains a list of users and/or groups where groups are written by prefixing it with an @ character.

@ftpchroot

To properly map uid’s to usernames a couple of steps still remains.

mkdir /usr/local/ftpchroot/etc

Create a dummy passwd file for all ftpchroot users and generate a passwd database from it and copy over the system group file to the chroot etc

while IFS=: read user x uid gid x; do
  if [ "$gid" = "15" ]; then
    echo $user:*:$uid:$gid:::::: >> /tmp/passwd
  fi
done < /etc/passwd

pwd_mkdb -d /usr/local/ftpchroot/etc /tmp/passwd
rm /usr/local/etc/ftpchroot/etc/master.passwd
rm /usr/local/etc/ftpchroot/etc/spwd.db
cp /etc/group /usr/local/etc/ftpchroot/etc
chmod 555 /usr/local/etc/ftpchroot/etc
chmod 444 /usr/local/etc/ftpchroot/etc/*

Having added the following to /etc/rc.conf you’re ready to fire it up by /etc/rc.d/ftpd start.

ftpd_enable="YES"
ftpd_flags="-llD"
Posted in: FreeBSD / Tagged: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

* Copy This Password *

* Type Or Paste Password Here *

Post Navigation