I have encountered an interesting situation when trying to connect to our Sun T5120 server running the latest update of Solaris 10. I have setup our developers in a ‘dev’ group. This group has been restricted access to ssh and we desire to lock them into their home directories upon logging into ftp. To accomplish the ftp restriction we added the following line into /etc/ftpd/ftpaccess: Guestgroup dev. This combined with the following directory assignment per user in the /etc/passwd has achieved the locking down of the accounts to their home directories: /export/home/dev/./ (note the additional ./). This is being accomplished by a chroot command that is being run in the background upon user login. This effectively changes their functional root directory to be the location I specified (their home directory) and all they see upon logging in is that they’ve landed at /.
Ok, so that’s the background and now to describe the problem. I can login to the server via command line ftp and this works beautifully; I land in the correct directory, it shows up as /, I can see all of the files/directories and I can interact with them (get/put). This is true from my PC workstation (located two firewalls away from server) as well as from companion servers on the same VLAN (no firewalls). However, when I try to connect to the server from a graphical ftp program (ie CoreFTP and UltraEdit) it will connect and show the landing directory as / but it will not display any of the contents of the home directory. It is not displaying directories or files, it just shows a empty home directory. If then I comment out the line in ftpaccess which designates the dev group as a guestgroup (Guestgroup dev) it will work fine from both command line ftp as well as the graphical ftp programs.
This seems to be a pretty odd situation. I’ve looked through settings in both CoreFTP and UltraEdit and cannot find any optional settings that can be selected that would fix this issue. I did try using a PASV connection but that yielded the same results. There are firewalls involved but they have port 20 and 21 opened, as evidenced by the fact that command line works and that command line and graphical ftp works when the chroot restriction is removed. The permissions on the home directory and subdirectories are 755 which is sufficient for viewing, though I did open them up to 777 just to test that angle.
I've found threads in other forums where people have not been able to list directory contents and those were fixed by using PASV connection. Mine is a little different, as it works fine until the chroot restriction is used; and as mentioned I have tried the PASV. I’m stumped … any thoughts?
Thanks,
Josh
Can't view files/dirs on server in chrooted home directory
Fixed it :)
Fixed it!
Ok, so since I had changed the effective root directory for the ftp user in the dev group the old path relationships are worthless (unless the same structure exists under the new effective root). The result is that there is no access to some of the necessary binaries and other files to make the expected ftp functionality work. In Solaris there is a command to do this for you (ftpconfig) which will copy all the necessary components into the given chroot directory.
ftpconfig -d /export/home/dev
What made this difficult is that the command line worked whether it was chrooted or not, but the GUI only worked without the chroot in place.
Now, the GUI ftp programs work regardless. So problem solved and everyone is happy, but I wish I understood why the command line worked in the chroot environment prior to copying over the necessary directories and binaries.
Hopefully that's helpful to someone. I ended up figuring this out myself, but I do want to mention that support was very responsive and I first heard back from them via email a mere 2 hours after I submitted my email request.
Josh
Ok, so since I had changed the effective root directory for the ftp user in the dev group the old path relationships are worthless (unless the same structure exists under the new effective root). The result is that there is no access to some of the necessary binaries and other files to make the expected ftp functionality work. In Solaris there is a command to do this for you (ftpconfig) which will copy all the necessary components into the given chroot directory.
ftpconfig -d /export/home/dev
What made this difficult is that the command line worked whether it was chrooted or not, but the GUI only worked without the chroot in place.
Now, the GUI ftp programs work regardless. So problem solved and everyone is happy, but I wish I understood why the command line worked in the chroot environment prior to copying over the necessary directories and binaries.
Hopefully that's helpful to someone. I ended up figuring this out myself, but I do want to mention that support was very responsive and I first heard back from them via email a mere 2 hours after I submitted my email request.
Josh