Friday, April 26, 2002

memo (Seize the moment): [server]proftpd chroot

Locking users into a directory (chroot)
Preventing users from moving round the filesystem is a must for many system admistrators. Proftpd achieves this functionality using the chroot() system call. This call moves the system root directory to the specified location. Anonymous connections do
this by default setting the chroot() to the directory specified in the directive. For more normal users the DefaultRoot directive is required

For general open access you can use an directive context block, possibly in combination with a UserPassword/AnonRequirePassword directive.

However if you wish to jail an entire group (or groups) of users, you can use the DefaultRoot directive. DefaultRoot lets you specify a root jailed directory (or '~' for the user's home directory), and an optional group-expression argument which can be
used to control which groups of users the jail will be applied to. For example:

Example 9-1. Simple DefaultRoot setup

# A simple DefaultRoot setup
# limiting all users to their $HOME

DefaultRoot ~

-- It's fun,it's free,it's open

No comments: