Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.3: ftpchroot now works as expected UNIX
A quick note to let everyone know that ftpchroot now works by default in 10.3.

[robg adds: ftpchroot has a somewhat twisted history on OS X. It didn't exist in 10.0, was added in 10.0.2, and then was broken again in 10.2. Looks like it's back and functional now in 10.3...]
    •    
  • Currently 3.00 / 5
  You rated: 5 / 5 (6 votes cast)
 
[10,363 views]  

10.3: ftpchroot now works as expected | 7 comments | Create New Account
Click here to return to the '10.3: ftpchroot now works as expected' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.3: ftpchroot now works as expected
Authored by: aranor on Oct 31, '03 01:45:44PM

Erm, it's not in my path. Where is it?



[ Reply to This | # ]
10.3: ftpchroot now works as expected
Authored by: aranor on Oct 31, '03 01:54:19PM

D'OH!

For clarification - it's not a utility, it's a file used for FTP server configuration.



[ Reply to This | # ]
10.3: ftpchroot now works as expected
Authored by: mal on Nov 02, '03 09:51:43PM

I have been wanting to get this working for ages!! Please explain how to get ftp users chroot'ed if you have the time!!



[ Reply to This | # ]
10.3: ftpchroot now works as expected
Authored by: hamarkus on Nov 03, '03 08:46:24AM
Check this hint

[ Reply to This | # ]
10.3: ftpchroot now works as expected
Authored by: bignumbers on Nov 06, '03 08:27:37AM

by "works by default in 10.3" do you mean the file should already be there? It's not for me. I did the default upgrade to 10.3, not an archive/install.

What I'd like to see (and thought this is what you meant) is that the system auto-creates this file and auto-adds all usernames to it.



[ Reply to This | # ]
10.3: ftpchroot now works as expected
Authored by: BananaFish on Jun 02, '04 12:39:35AM
This is a great hint! There are a couple of additional notes that I think may be useful. I have occasional use for chrooted ftp, but I use ssh constantly. On a system running both ftp and ssh services, a user added to /etc/ftpchroot may have limited ftp capabilities, but they can still make an ssh connection and browse the file system as freely as their permissions will allow.

The simplest method that I know for limiting a user's remote access to chrooted ftp is by changing the user's shell variable to /usr/bin/true. Doing so requires a couple of steps (I'm currently running OS X 10.3.4, though I'd imagine most of this is applicable to prior versions):
  1. Edit /etc/shells:
    Without adding /usr/bin/true to the /etc/shells file, ftpd won't recognize it as valid; the file says as much. So, open up Terminal, sudo vi /etc/shells, add the line /usr/bin/true to the file, save and close it.
  2. Modify the User's $SHELL:
    The best way I can think to do this is through the NetInfo Manager, though it could certainly be done through the command line nicl tool. Open NetInfo Manager and authenticate so you can edit the database. Select "users" in the 2nd column, and then select the user that you want to edit. Locate the "shell" property, and change the "Value(s)" field so it reads /usr/bin/true. Click on the Domain menu and Save Changes.
  3. Edit /etc/ftpchroot:
    If you haven't done so already, add the appropriate user names to /etc/ftpchroot file.
  4. More Users:
    Perform steps 2 and 3 for each, appropriate user.
Now, any users added to /etc/ftpchroot with their $SHELL set to true will have limited ftp access, but will not be able to ssh into your system.
There is another method for accomplishing the same results that can be found here. What vogunaescht writes there works in Mac OS X 10.3, but I believe the /usr/bin/true to be more compatible with other systems since I've definitely used it with Linux. For whatever that's worth.

---
I'm interesting
You think I'm interesting
Like the apocalypse

[ Reply to This | # ]

10.3: ftpchroot now works as expected
Authored by: BananaFish on Jun 02, '04 01:16:18AM

Sorry about the "NetInfo Manager" URL stunt in item 2. It'll never happen again; I promise.

---
I'm interesting
You think I'm interesting
Like the apocalypse



[ Reply to This | # ]