Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Improving FTP access security Network
With the release of 10.0.2, Apple has included an upgraded FTP server that makes it easier to control which directories FTP users can utilize. This is done using an 'ftpchroot' file, which makes each listed user's home directory appear as the root of the system via FTP, so there's no way they can move "up" out of their directories.

Implementing 'ftpchroot' is quite simple, but it does require a bit of editing work as root. If you'd like to restrict your FTP users to their own directory, read the rest of this tip.

This only works for users who exist as users on your system. You may want to create a generic 'ftpuser' for such purposes. For this example, we'll assume you have two users, 'tom' and 'ftpuser', and you'd like to restrict both of them to their home directories.
  1. Open a terminal and type cd /etc to change into the 'etc' directory.

  2. We'll use pico as the text editor, since this is a very simple file. Type sudo pico ftpchroot and enter your normal admin user's password when prompted.

  3. When the file opens, simply type each user's short name on a line of its own:
    ftpuser
    tom
  4. Save the file by typing Control-X.
That's it! You've created the file you need to restrict FTP users' access.

To implement the file, you will probably have to restart your network -- you could try disabling and re-enabling FTP from the Sharing prefs panel, but a full restart will definitely do the trick! If you ever need to add more users, just follow these directions and add additional rows for each new user you wish to restrict.

To test the restrictions, find another machine, make sure your OS X box has FTP enabled, and connect via FTP as one of the restricted users. You should NOT be able to navigate up from your starting location. If you can, then something's not working correctly. I have tested this tip myself, and it works exactly as described here - thanks, Apple, for getting rid of this relatively large security hole! Note that FTP still transmits passwords in cleartext, which is why setting up an "ftpuser" may be a good idea.
    •    
  • Currently 1.67 / 5
  You rated: 3 / 5 (3 votes cast)
 
[22,725 views]  

Improving FTP access security | 25 comments | Create New Account
Click here to return to the 'Improving FTP access security' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
SWEEEEEET!!!!
Authored by: Anonymous on May 08, '01 10:21:02PM

I've been waiting for this... OK, now how do I put links to other directories outside of the user's space, on other drives even... How can I add access to certain directories?



[ Reply to This | # ]
SWEEEEEET!!!!
Authored by: babbage on May 09, '01 03:12:03PM
Create a symbolic link ("symlink") from the old directory to the new one. If you want to keep
the name, the format is "ln -s /other/directory /new/location/", and if you want to change the
name then the format is "ln -s /other/directory /new/location/new_name". Example:

/Users/chris% ln -s /usr/local/apache ~/
/Users/chris% ln -s /usr/local/apache ~/httpd
/Users/chris% ls -la apache
lrwxr-xr-x 1 chris staff 17 May 9 14:53 apache -> /usr/local/apache
/Users/chris% ls -la httpd
lrwxr-xr-x 1 chris staff 17 May 9 14:53 httpd -> /usr/local/apache

Play around for a minute and you'll get the idea. The trailing slash can be significant
and can change the behavior of the command, so make sure that you're doing what you mean to
be doing. It's generally better to use the full name of the directory in the ln command --
that is, not just the directory name itself, but the full path to it. That way, if you decide
to move the link later (since after all you can move it around just as you can any other file)
then you can be more sure that the reference will still work. For example:


# shorter, easier, and more brittle way
ln -s ../susie/Documents ~/susies_easy_documents

# longer but safer way
ln -s /Users/susie/Documents ~/susies_longer_documents

# note that the names are different, but the contents of these will be the same!

mkdir everyones_documents
mv susies_easy_documents everyones_documents # breaks!
mv susies_longer_documents everyones_documents # works!
ls everyones_documents/susies_easy_documents # broken!
ls everyones_documents/susies_longer_documents # still works!

Etc. This is of course assuming you have permissions to be accessing other users'
Documents directories. If you can't then you won't be allowed in, any more than you
would be allowed to "cd /Users/someone_else/Documents". File & directory permissions
get inherited from the file or directory being referenced.

Note! If it isn't already obvious, it's really dumb to make a link such as this:

ln -s / ~/ftp/root

The whole point of this ftpusers restriction file is to control what parts of your
file system you want to allow to the outside world. If you don't want people to be able
to reach parts of your directory tree, then don't let them! If you link in some other
directory, and that directory in turn has a link to the root of the file system,
then it's just as bad as if you had put that root symlink there yourself. Make sure you
trust that the contents of any directory you're linking in are safe & secure, of you'll
end up defeating the whole purpose of this access control mechanism.

[ Reply to This | # ]

Doesn't work
Authored by: Tablespork on Jun 15, '01 06:29:23PM

The symbolic links dont seem to work via ftp. I can get to regular directories with my ftp user, but when I try a symlink it tells me "No such file or directory". Is there any way around this?



[ Reply to This | # ]
here's how it works....
Authored by: aaronfaby on Sep 06, '02 12:58:16PM

Symlinks will not work because the whole purpose of chroot is so that the user cannot see directories outside the scope of their "root" directory. This means that any directory that you have symlinked to that is outside the scope of the user's "root" is not visible. In which case, if you attempt to access that directory, you will get the "file not found" message.

There really is no way around it. Otherwise, you would be defeating the purpose of chroot in the first place.

Aaron



[ Reply to This | # ]
ftpchroot
Authored by: macupdate on May 31, '01 12:43:27AM

It didn't work for me. did the cd /etc, then pico ftpchroot as root, entered my user name, hit command-x, hit Y, and hit return. Restarted the Mac and I can still view upward directories. Any ideas?



[ Reply to This | # ]
ftpchroot
Authored by: jhi on Jul 07, '01 12:45:59AM

Does the account your are trying to 'chroot' have Administrative privledges? If it does, 'ftpchroot' may not work for it. Try creating another account with user privledges, and 'chroot' that one. Worked for me.....



[ Reply to This | # ]
Works with groups also
Authored by: Anonymous on May 09, '01 05:47:15PM

You can put a whole group in the ftpchroot file, like this.

@staff

All user belonging to the group staff will then be restrict to their home directories.



[ Reply to This | # ]
Users home?
Authored by: jhi on Jul 16, '01 09:31:41PM

How do you change the users home directory in OS X? It does not seem to use the /etc/passwd file..



[ Reply to This | # ]
Users home?
Authored by: mcdonoab on Jul 17, '01 10:23:28PM

You're right, /etc/passwd is not used. All functionality is handled my lookupd. So, if you want to change a user's home directory open up NetInfo Manager and change the user's home from there.



[ Reply to This | # ]
Users home?
Authored by: mkennard on Aug 09, '01 01:09:49PM

I use netinfo in utilities and select users and the user. You can then set the home directory. Don't know the way to do it via shell but I use timbuktu.

michael



[ Reply to This | # ]
ftpchroot and Mac OS X Server
Authored by: hdheer on Aug 02, '01 04:48:15AM
One comment about using ftpchroot on a Mac OS X Server. It seems that on a server the ftchroot file is completely ignored.
(See next article in the Apple Knowledge Base)
http://kbase.info.apple.com/cgi-bin/WebObjects/kbase.woa/wa/query?type=id&val=31099&KCID=260692&sid=anonymous|559313

Hubert

[ Reply to This | # ]

ftpchroot and Mac OS X Server
Authored by: gbusana on Aug 31, '01 10:47:26PM

This knowledgebase article is from 1999. So it is meant for OsX Server 1, the old Rhapsody version.
This doesn't mean that it doesn't work for OsX10.0.4. I 'd even think it should work. Will try in the next days.



[ Reply to This | # ]
ftpchroot and Mac OS X Server
Authored by: kane on Sep 05, '02 12:31:51PM

Well, just try it on Mac OS X Server 10.1 and it's not working at all... so I have to find an another way to do it...



[ Reply to This | # ]
ftpchroot and Mac OS X Server
Authored by: davidcrickett on Sep 16, '02 06:40:07AM

I have tried the trick, but get an 'error 550 can't change root' ???



[ Reply to This | # ]
No way
Authored by: nickair on Aug 16, '01 10:52:30PM

Well I tried it, I've put all the users in ftpchroot, and restarted the Mac. Then I connected to OSX via ftp from another machine. But there were absolutely no restrictions at all...

Any idea?



[ Reply to This | # ]
No way
Authored by: tknospdr on Oct 26, '01 08:32:22PM

I tried this and with simply stopping and restarting http and ftp services it worked perfectly.



[ Reply to This | # ]
error 550 can't change root
Authored by: davidcrickett on Sep 16, '02 07:17:25AM

I have tried this, but get an 'error 550 can't change root' ???



[ Reply to This | # ]
error 550 can't change root
Authored by: davidcrickett on Sep 17, '02 07:13:04AM

I mean, I've tried the trick mentioned in the start of this page, how to restrict ftpuser. How come I get this error? Maybe because I'm in Jaguar 10.2.1 build 6D42???? Can someone please solve this mystery!?? ;-)



[ Reply to This | # ]
No longer works with Jaguar?
Authored by: Angostura on Sep 19, '02 05:30:00AM

Same here - no longer seems to work with Jaguar



[ Reply to This | # ]
FIX: error 550 can't change root
Authored by: ludo on Sep 20, '02 09:52:18PM

The problem lies into the ftpd daemon shipped in jaguar (lukemftpd technically) and has been introduced a few months ago in the source code.

In short, the chroot operation because the code demotes the ftp daemon from its root privileges before calling chroot.

I have posted a more thorough explanation and steps to fix the problem at
http://www.chezludo.com/ftpchroot.html



[ Reply to This | # ]
FIX: error 550 can't change root
Authored by: davidcrickett on Sep 21, '02 09:38:08AM

Yes! FIXED! Even if I had to drag the ftpd file (logging in as root) by hand, as I'm no unix geek, and this step (how to copy the downloaded file to the /usr/libexec) was beyond me. But it working, and I hope I haven't messed anything up ;-)



[ Reply to This | # ]
Nice, but what about ssh and sftp?
Authored by: hamarkus on May 26, '03 05:18:53PM

After fixing the error 550 bug it works at advertised, but connecting via ssh or sftp one can still move up the directory tree. Is there an equivalent to FTPchroot for sftp? (The hint 'Enable sftp access without ssh access' also disables sftp access, therefore defeating its purpose.)



[ Reply to This | # ]
Improving FTP access security
Authored by: dlclough on Jun 12, '03 03:17:15PM

This didn't work for me in Jaguar, either, until I applied this patch:

http://www.chezludo.com/ftpchroot.html

Just in case it helps someone else...

David.

[ Reply to This | # ]

Improving FTP access security
Authored by: themacnut on Jun 12, '03 10:01:36PM

<p>Is there a way to restrict the amount of space used by the ftpuser? As in setting a disk quota? Just in case the ftpuser's password is "sniffed" and the sniffing hacker tries to use your Mac as a warez archive or something?</p>

<p>The MacNut</p>



[ Reply to This | # ]
Improving FTP access security
Authored by: sranda on Sep 17, '03 10:33:49AM

Go easy I'm a novice. I added a user named guest. Went into pico and added that user. Used Fetch to FTP in and got an error stating "Server Response - Can't change root". I did not enter a initial directory so that might be the problem. What would that path be?



[ Reply to This | # ]