C Program to create Fake root for User

C Program to create Fake root for User

Post by joeh » Fri, 08 Oct 1999 04:00:00



I know this program is garbage and is not even working; if
anyone has experience with this, perhaps they can advise:
I need to create a fale root for ftp users (not anonymous).
I need to implement something that will prevent them from
traversing directories above their home dir.
This particular box doesn't seem to have a lot of documentation
on the appropriate system calls.  Perhaps someone can help.
Criticism welcome (and deserved).
TIA
Joe

#include <stdio.h>
#include <string.h>

char *path;
int chroot (path) ;

main {

string systemcmd ;        /* i thought this data type was in string.h */
systemcmd="echo $HOME" ;  /* This probably doesn't exist at this point and i
need
                             to scan the /etc/passwd file field */
path=(system(systemcmd)) ;
chroot(&path) ;
system("/bin/ksh") ;
/* return 0 ; */

Quote:}

~
~
~
"./bin/mychroot.c" 19 lines, 238 characters
259 root [zeus4]:/usr/joeh>cc -o ./bin/mychroot ./bin/mychroot.c
"./bin/mychroot.c", line 8: warning: function prototype parameters must have
types
"./bin/mychroot.c", line 10: error: syntax error, probably missing ",", ";" or
"="
"./bin/mychroot.c", line 12: error: undefined symbol: string
"./bin/mychroot.c", line 12: error: Syntax error before or at: systemcmd
"./bin/mychroot.c", line 13: error: undefined symbol: systemcmd
"./bin/mychroot.c", line 13: warning: improper pointer/integer combination: op
"="
"./bin/mychroot.c", line 14: warning: improper pointer/integer combination: arg
#1
"./bin/mychroot.c", line 14: warning: improper pointer/integer combination: op
"="
"./bin/mychroot.c", line 18: error: cannot recover from previous errors

--

access to a news server; thanks!
Disclaimer: opinions expressed my own and not representative of my employers

 
 
 

C Program to create Fake root for User

Post by Rich Tee » Fri, 08 Oct 1999 04:00:00



> I know this program is garbage and is not even working; if
> anyone has experience with this, perhaps they can advise:
> I need to create a fale root for ftp users (not anonymous).
> I need to implement something that will prevent them from
> traversing directories above their home dir.

A wise idea, but apart from chroot()ing, you will need to
provide the /usr/lib and /dev(ices) entries too.

Quote:> #include <stdio.h>
> #include <string.h>

> char *path;
> int chroot (path) ;

ALWAYS include the right header files!  For chroot(),
it's

 #include <unistd.h>

Quote:> main {

> string systemcmd ;        /* i thought this data type was in string.h */

WTF?  I think you mean:

        char *systemcmd;

Quote:> systemcmd="echo $HOME" ;  /* This probably doesn't exist at this point and i
> need

Have a look at the getpwent() family of functions.

Very rough pseudo code; add error checking and the
appropriate #includes:

        uid = getuid ();
        ptr = getpwuid (uid)
        chroot (ptr -> pw_dir);

Quote:>                              to scan the /etc/passwd file field */
> chroot(&path) ;
> system("/bin/ksh") ;

Using system() isn't a hot idea; use fork() and exec() instead.

HTH,

--
Rich Teer

NT tries to do almost everything UNIX does, but fails - miserably.

The use of Windoze cripples the mind; its use should, therefore, be
regarded as a criminal offence.  (With apologies to Edsger W. Dijkstra)

If it ain't analogue, it ain't music.

Voice: +1 (250) 763-6205
WWW: www.rite-group.com

 
 
 

C Program to create Fake root for User

Post by Drazen Kac » Fri, 08 Oct 1999 04:00:00



> I know this program is garbage and is not even working; if
> anyone has experience with this, perhaps they can advise:
> I need to create a fale root for ftp users (not anonymous).
> I need to implement something that will prevent them from
> traversing directories above their home dir.

Proftpd can do it. Take a look at the source or install the whole thing.
http://www.veryComputer.com/

--
 .-.   .-.    Life is a *ly transmitted disease.
(_  \ /  _)


 
 
 

C Program to create Fake root for User

Post by Barry Margoli » Fri, 08 Oct 1999 04:00:00





>> I know this program is garbage and is not even working; if
>> anyone has experience with this, perhaps they can advise:
>> I need to create a fale root for ftp users (not anonymous).
>> I need to implement something that will prevent them from
>> traversing directories above their home dir.

>Proftpd can do it. Take a look at the source or install the whole thing.
>http://www.proftpd.org

That's on the server side.  The program he's trying to write is to trap the
*client* to a particular directory.

--

GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

 
 
 

C Program to create Fake root for User

Post by Barry Margoli » Fri, 08 Oct 1999 04:00:00




Quote:>> system("/bin/ksh") ;

>Using system() isn't a hot idea; use fork() and exec() instead.

Actually, for this application, he doesn't even need to fork(), since he
doesn't do anything after the shell returns.  He can just exec().

--

GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

 
 
 

C Program to create Fake root for User

Post by Brad Powe » Fri, 08 Oct 1999 04:00:00


:I know this program is garbage and is not even working; if
:anyone has experience with this, perhaps they can advise:
:I need to create a fale root for ftp users (not anonymous).
:I need to implement something that will prevent them from
:traversing directories above their home dir.
:This particular box doesn't seem to have a lot of documentation
:on the appropriate system calls.  Perhaps someone can help.
:Criticism welcome (and deserved).
:TIA
:Joe

Two solutions. Use a system that has (or get) wu-ftpd. It has the chroot
built in.

Otherwise Wietse Venema has a program chrootuid that will also do this.

ftp://ftp.porcupine.org/pub/security/index.html

============================================================================

Sr. Network Security Architect Sun Microsystems Inc.
============================================================================
The views expressed are those of the author and may not reflect the views
of Sun Microsystems Inc.
============================================================================

 
 
 

C Program to create Fake root for User

Post by Mark Mentova » Fri, 08 Oct 1999 04:00:00






>>> I know this program is garbage and is not even working; if
>>> anyone has experience with this, perhaps they can advise:
>>> I need to create a fale root for ftp users (not anonymous).
>>> I need to implement something that will prevent them from
>>> traversing directories above their home dir.

>>Proftpd can do it. Take a look at the source or install the whole thing.
>>http://www.proftpd.org

>That's on the server side.  The program he's trying to write is to trap the
>*client* to a particular directory.

I'm not so sure about that.  I don't know exactly what the original
poster had in mind.

If he's just looking to put a regular user into a chrooted environment
for an FTP login, then nobody needs to write any special code, just set
up ProFTPd properly.  (ProFTPd, the server, chroots when the client
connects and logs in, thereby restricting what the client can access.)
The configuration directive "DefaultRoot ~" would have the server
chroot each user's home directory upon FTP login.

If he's looking to put a regular user in a chrooted environment for an
interactive (shell) login (which is what the source he posted appears
to try to do), then doing chroot/exec is the way to go, but I'm don't
understand the logic behind doing this.  It would mean that copies of
the shell, libraries, devices, and various other files would be needed
inside the hierarchy that will be chrooted to.

Come to think of it, I don't understand the logic behind chrooting a
regular user FTP login, either.  With permissions configured properly,
setting up a "chroot jail" (in ProFTPd terminology) for normal users
seems a little paranoid.

Mark

 
 
 

C Program to create Fake root for User

Post by Rich Tee » Sat, 09 Oct 1999 04:00:00



> Come to think of it, I don't understand the logic behind chrooting a
> regular user FTP login, either.  With permissions configured properly,
> setting up a "chroot jail" (in ProFTPd terminology) for normal users
> seems a little paranoid.

When server security is involved, a little paranoia is a Good Thing, I think.

--
Rich Teer

NT tries to do almost everything UNIX does, but fails - miserably.

The use of Windoze cripples the mind; its use should, therefore, be
regarded as a criminal offence.  (With apologies to Edsger W. Dijkstra)

If it ain't analogue, it ain't music.

Voice: +1 (250) 763-6205
WWW: www.rite-group.com

 
 
 

C Program to create Fake root for User

Post by Barry Margoli » Sat, 09 Oct 1999 04:00:00








>>>> I know this program is garbage and is not even working; if
>>>> anyone has experience with this, perhaps they can advise:
>>>> I need to create a fale root for ftp users (not anonymous).
>>>> I need to implement something that will prevent them from
>>>> traversing directories above their home dir.

>>>Proftpd can do it. Take a look at the source or install the whole thing.
>>>http://www.proftpd.org

>>That's on the server side.  The program he's trying to write is to trap the
>>*client* to a particular directory.

>I'm not so sure about that.  I don't know exactly what the original
>poster had in mind.

The original poster wrote a program that does a chroot() and then runs a
shell.  While his code was not valid, it was certainly understandable as a
form of pseudo-code describing what he's trying to do.

Quote:>Come to think of it, I don't understand the logic behind chrooting a
>regular user FTP login, either.  With permissions configured properly,
>setting up a "chroot jail" (in ProFTPd terminology) for normal users
>seems a little paranoid.

There are lots of files and directories on a system that must be
world-readable, and he's paranoid enough that he doesn't want his users
able to access them.

--

GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

 
 
 

C Program to create Fake root for User

Post by Mark Mentova » Sat, 09 Oct 1999 04:00:00







>>>>> I know this program is garbage and is not even working; if
>>>>> anyone has experience with this, perhaps they can advise:
>>>>> I need to create a fale root for ftp users (not anonymous).
>>>>> I need to implement something that will prevent them from
>>>>> traversing directories above their home dir.

>>I'm not so sure about that.  I don't know exactly what the original
>>poster had in mind.

>The original poster wrote a program that does a chroot() and then runs a
>shell.  While his code was not valid, it was certainly understandable as a
>form of pseudo-code describing what he's trying to do.

But he also said he needs to create a fake root for FTP users,
mentioning nothing of interactive logins.  That's what keeps throwing
me.

Quote:>>Come to think of it, I don't understand the logic behind chrooting a
>>regular user FTP login, either.  With permissions configured properly,
>>setting up a "chroot jail" (in ProFTPd terminology) for normal users
>>seems a little paranoid.

>There are lots of files and directories on a system that must be
>world-readable, and he's paranoid enough that he doesn't want his users
>able to access them.

Different tastes in sysadminning, to each his own!

Mark

 
 
 

C Program to create Fake root for User

Post by Leslie Mikese » Sat, 09 Oct 1999 04:00:00




Quote:>>The original poster wrote a program that does a chroot() and then runs a
>>shell.  While his code was not valid, it was certainly understandable as a
>>form of pseudo-code describing what he's trying to do.

>But he also said he needs to create a fake root for FTP users,
>mentioning nothing of interactive logins.  That's what keeps throwing
>me.

He may be allowing anomyous FTP and/or have FTP accounts that cannot
login any other way.  These users may be less trusted than the
interactive logins on the same box.

  Les Mikesell

 
 
 

C Program to create Fake root for User

Post by joeh » Thu, 14 Oct 1999 04:00:00


I can't say much about this, but everyone is correct: i have ftp and
interactive
shell logins.  the current situation on that particular server is that many
files are
world-readable and remain so because of the powers that be; on the other hand,
despite
things the way they are, i must do my best to protect the system and data. the
culprits
are the previous admins who either didn't understand permission modes, groups
and security
or for some other reason couldn't implement.

in any case, my sincere thanks to all for the support.  
The suggestion to use the proftpd daemon may help me with the ftp service,
but i still need to make some kind of shell for these people who come
in and drop stuff off.  we don't want them traversing directories.  would the
above chroot example
interfere at all with an ftp login?

--

access to a news server; thanks!
Disclaimer: opinions expressed my own and not representative of my employers

 
 
 

C Program to create Fake root for User

Post by Mark Mentova » Thu, 14 Oct 1999 04:00:00



>in any case, my sincere thanks to all for the support.  
>The suggestion to use the proftpd daemon may help me with the ftp service,
>but i still need to make some kind of shell for these people who come
>in and drop stuff off.  we don't want them traversing directories.  would the
>above chroot example
>interfere at all with an ftp login?

No.  If you set your users' shells to be something that chroots them
into a reasonably safe environment, as long as it is listed in the real
(non-chrooted) /etc/shells, proftpd will allow logins and do its own
chrooting as you have configured it.  Proftpd (or wu-ftpd or Solaris
ftpd) don't care what the shell actually does, as long as they
determine it to be a valid shell.

Mark

 
 
 

1. run a non-root user's program from a non-root user

Hi Folks,

Here is the problem.

I have user A and user B (non-root users)

I need for user A to initiate a job as user B. How can this be done?

As you know, I can do this as root. I can start a process from root as
another user in the system (cron jobs come to my mind!) Is there a way
to do this for non-root users? I believe I need to be able to do
something like  as user A
"su - B" without being prompted for password.

Appreciate suggestions in advance.

Pasha

BTW: I am using AIX 4.3.10

2. TCP/IP-problems...

3. Can BIND 9 utilize a HINTS file to create fake ROOT DNS server

4. Help Sparc Linux Network install

5. Fake root for ftp-user other than "ftp/anonymous"?

6. Impossible HDD problem with Redhat 6.0

7. (SUMMARY) Fake root for ftp-user other than "ftp/anonymous"?

8. Display X from remote->local?

9. RH8 - Problem w/non-root users starting root programs

10. Creating a initial ramdisk as a non-root user - how ?

11. can non-root user create FIFO ?

12. Create informix user with root privilige: How?

13. Creating new users not-using root