[ Pobierz całość w formacie PDF ]
.This fake shell will limit access on the system for FTP users.[root@deep /]# vi /etc/shells/bin/bash/bin/sh/bin/ash/bin/bsh/bin/tcsh/bin/csh/dev/null This is our added no-existent shellNOTE: With Red Hat Linux, a special device name (/dev/null) exists for purposes such as these.Step 3Now, edit your  /etc/passwd file and add manually the  /./ line to divide the  /home/ftp directorywith the  /ftpadmin directory where the user  ftpadmin should be automatically chdir d to.Thisstep must be done for each FTP user you add to your  passwd file.Edit the passwd file (vi /etc/passwd) and add/change the line for the user  ftpadmin :ftpadmin:x:502:502::/home/ftp/ftpadmin/:/dev/nullTo read:ftpadmin:x:502:502::/home/ftp/./ftpadmin/:/dev/null^^The account is  ftpadmin , but you'll notice the path to the home directory is a bit odd.The firstpart  /home/ftp/ indicates the filesystem that should be considered their new root directory.Thedot . divides that from the directory they should be automatically chdir d (change directory'd)into,  /ftpadmin/.Once again, the  /dev/null part disables their login as a regular user.With this modification, theuser  ftpadmin now has a fake shell instead of a real shell resulting in properly limited access onthe system.Setup a chroot user environmentWhat you're essentially doing is creating a skeleton root file system with enough componentsnecessary (binaries, password files, etc.) to allow Unix to do a chroot when the user logs in.Notethat if you use the  --enable-ls option during compilation as seen above, the  /home/ftp/bin , and447Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs PublishingServer Software (File Sharing Network Services) 2CHAPTER 1 /home/ftp/lib directories are not required since this new option allows Wu-ftpd to use its own  lsfunction.We still continue to demonstrate the old method for people that prefer to copy  /bin/ls tothe chroot d FTP directory ( /home/ftp/bin ) and create the appropriated library related to  ls.The following are the necessary steps to run Wu-ftpd software in a chroot jail:Step 1First create all the necessary chrooted environment directories as shown below:[root@deep /]# mkdir /home/ftp/dev[root@deep /]# mkdir /home/ftp/etc[root@deep /]# mkdir /home/ftp/bin (require only if you are not using the  --enable-ls option)[root@deep /]# mkdir /home/ftp/lib (require only if you are not using the  --enable-ls option)Step 2Change the new directories permission to 0511 for security reasons:[root@deep /]# chmod 0511 /home/ftp/dev/[root@deep /]# chmod 0511 /home/ftp/etc/[root@deep /]# chmod 0511 /home/ftp/bin (require only if you are not using the  --enable-ls option)[root@deep /]# chmod 0511 /home/ftp/lib (require only if you are not using the  --enable-ls option)The  chmod command will make our chrooted  dev ,  etc ,  bin , and  lib directories readableand executable by the super-user  root and executable by the user-group and all users.Step 3Copy the "/bin/ls" binary to "/home/ftp/bin" directory and change the permission of the  lsprogram to 0111.(You don't want users to be able to modify the binaries):[root@deep /]# cp /bin/ls /home/ftp/bin (require only if you are not using the  --enable-ls option)[root@deep /]# chmod 0111 /bin/ls /home/ftp/bin/ls (require only if you are not using the  --enable-ls option)NOTE: This step is necessary only if you re not using the  --enable-ls option during the configuretime of Wu-ftpd.See the  Compile and Optimize section in this chapter for more information.448Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs PublishingServer Software (File Sharing Network Services) 2CHAPTER 1Step 4Find the shared library dependencies of the  ls Linux binary program:[root@deep /]# ldd /bin/ls (require only if you are not using the  --enable-ls option)libc.so.6 => /lib/libc.so.6 (0x00125000)/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00110000)Copy the shared libraries identified above to your new  lib directory under  /home/ftp directory:[root@deep /]# cp /lib/libc.so.6 /home/ftp/lib/ (require only if you are not using the  --enable-ls option)[root@deep /]# cp /lib/ld-linux.so.2 /home/ftp/lib/ (require only if you are not using the  --enable-ls option)NOTE: These library are needed to make  ls work.Also, steps 3 and 4 above are required only ifyou want to use the  ls Linux binary program instead of the  --enable-ls option that uses the newinternal  ls capability of Wu-ftpd.Step 5Create your  /home/ftp/dev/null file:[root@deep /]# mknod /home/ftp/dev/null c 1 3[root@deep /]# chmod 666 /home/ftp/dev/nullStep 6Copy the  group and  passwd files in  /home/ftp/etc directory.This should not be the same asyour real ones.For this reason, we ll remove all non FTP users except for the super-user  root inboth of these files (passwd and group).[root@deep /]# cp /etc/passwd /home/ftp/etc/[root@deep /]# cp /etc/group /home/ftp/etc/Edit the passwd file (vi /home/ftp/etc/passwd) and delete all entries except for the super-user root and your allowed FTP users.It is very important that the  passwd file in the chrootenvironment has entries like:root:x:0:0:root:/:/dev/nullftpadmin:x:502:502::/ftpadmin/:/dev/nullNOTE: We can notice two things here: first, the home directory for all users inside this modified passwd file are now changed to reflect the new chrooted FTP directory (i.e./home/ftp/./ftpadmin/ begins /ftpadmin/), and also, the name of the user's login shell for the  rootaccount has been changed to  /dev/null.Edit the group file (vi /home/ftp/etc/group) and delete all entries except for the super-user  rootand all your allowed FTP users.The  group file should correspond to your normal group file:root:x:0:rootftpadmin:x:502:Step 7449Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs PublishingServer Software (File Sharing Network Services) 2CHAPTER 1Now we must set  passwd , and  group files in the chroot jail directory immutable for bettersecurity." Set the immutable bit on  passwd file:[root@deep /]# cd /home/ftp/etc/[root@deep /]# chattr +i passwd" Set the immutable bit on  group file:[root@deep /]# cd /home/ftp/etc/[root@deep /]# chattr +i groupConfigurationsAll software we describe in this book has a specific directory and subdirectory in a tarcompressed archive named  floppy.tgz containing file configurations for specific programs [ Pobierz caÅ‚ość w formacie PDF ]

zanotowane.pl

doc.pisz.pl

pdf.pisz.pl

swpc.opx.pl