SUN-Jail – Solaris 10 convicted ! Part I


OK… so a while back I did something about jails for FTP… Odd that I don’t even remember what it was for let-alone being to lazy to go back and look to make proper reference here.. but anyway, I have a successful and simple approach to doing this on Solaris 10 and seeing that I get ALOT of hits for my Solaris posts, this may in fact be another good destination. I went back to my tried and true buddy, webmin for this, with as little effort as possible.  I decided to use the ProFTPd module that comes (icon anyway) included with webmin for Solaris (which by the by, is also a default package on Sol 10) and packages from the sunfreeware site.  So lets get started with the required packages and some basic system tweaks you may or may not need:

I started out making a repo dir under /export/home as it is a large one on these systems:

mkdir /export/home/sunfreeware

cd /export/home/sunfreeware

For whatever reason, the default $PATH for Solaris 10 is as bare as it comes, leaving out lots of cool, already installed tools, like wget for example. I created a .profile and added this PATH:

PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/sfw/bin:/usr/local/sbin

This covers everything I found useful without absolutes (and without actually knowing where the f’ it is !!!)…

Here is a listing of what I needed: (You may or may not need all of these)

gcc-3.4.6-sol10-x86-local.gz
make-3.81-sol10-x86-local.gz
openssl-1.0.0-sol10-x86-local.gz
proftpd-1.3.2-sol10-x86-local.gz
rssh-2.3.2-sol10-x86-local.gz

So lets quickly grab these…

cd /export/home/sunfreeware (in case you were not there already 🙂 )

for i in gcc-3.4.6-sol10-x86-local.gz make-3.81-sol10-x86-local.gz   openssl-1.0.0-sol10-x86-local.gz proftpd-1.3.2-sol10-x86-local.gz rssh-2.3.2-sol10-x86-local.gz; do wget ftp://ftp.sunfreeware.com/pub/freeware/intel/10/$i; done

Then gunzip them:

for i in `ls`; do gunzip $i; done

The pkgadd them:

for i in `ls`; do pkgadd -d $i; done (You will need to answer at least the creation of the /usr/local/bin dir if it is not already there and the default ‘ALL’ question for each recursion)

Before you get yourself all in a tizzy… lets stop the defalt FTP service:

svcadm disable network/ftp

OK… now lets install webmin:

webminsetup (see how handy our PATH has been so far… 🙂 )

Answer the questions however you like… and wallah… Done 🙂

Now we need to make a few tweaks to the ProFTPd settings:

So you may have to click on this pic to see the line to which I am referring but in any event you want to uncomment this line so that ALL users are jailed to their defined home dir… and let me tell you that this is as easy as that process gets.  There is one other designation we need to make to ensure this takes place but it is in fact a radio button, so nothing overly complex there.  I also made the usual permissions changes on the user dirs to ensure the most security possible and a few other changes… well lets look at that step one by one shall we…

OK, so as you can see (from the wget up above) I grabbed rssh, a restricted shell.  Weather or not any of this is actually necessary is highly speculative, but I will at least illustrate what I did.

/usr/local/etc/rssh.conf

allowsftp <– This is all I wanted to allow

# If you want to chroot users, use this to set the directory where the root of
# the chroot jail will be located.
#
# if you DO NOT want to chroot users, LEAVE THIS COMMENTED OUT.
chrootpath = /export/home/chroot <– Make this whatever you are jailing your users to

You will also need to make an entry in /etc/shells (and create it if it is not there):

/usr/local/bin/rssh

ftptest:x:104:100:FTP Test User:/export/home/chroot/ftptest:/usr/local/bin/rssh

# id ftptest
uid=104(ftptest) gid=100(ftptest)

drwx——   2 ftptest ftptest      512 May 20 15:17 ftptest

From the main module screen simply select the “Files and Directories” option to open the module.  I should mention that we are already in the ProFTPd module at this point so if you are not there, simply click on the “Servers” link in the top left and then select “ProFTPD Server” and you will be at this very page.  Take note of where things are in Webmin as surely you will want to go back and make lots of additional amendments to whatever else you have running on the system.

All we are looking at here is making sure that you restrict the user to their home directory. This may be kind of obvious, but make sure you START the service as well… It can be done from any module.  Up in the right corner you will see a “Start ProFTPd Service” button… click it.  I would also run a few commands from the console just to see what you have going on as well maybe you just should have some understanding outside of a graphical environment of what is really taking place here.  So lets run some simple commands shall we???

# ps -ef |grep ftp
ftptest2  4951  4430   0 10:38:45 ?           0:00 /usr/local/sbin/proftpd
nobody  4430     1   0 10:20:35 ?           0:00 /usr/local/sbin/proftpd
root  5193  4197   0 12:43:10 pts/2       0:00 grep ftp

Make sure you don’t see anything other than the proftpd service running… (remember we stopped the default ftp service earlier right??? )

# /usr/local/sbin/proftpd -vv
– mod_tls/2.2.1: compiled using OpenSSL version ‘OpenSSL 0.9.8k 25 Mar 2009’ headers, but linked to OpenSSL version ‘OpenSSL 0.9.8n 24 Mar 2010’ library
ProFTPD Version: 1.3.2 (stable)
Scoreboard Version: 01040002
Built: Wed May 13 16:36:46 EDT 2009

Loaded modules:
mod_tls/2.2.1
mod_md5fs.c
mod_readme.c
mod_auth_pam/1.1
mod_ident/1.0
mod_facts/0.1
mod_delay/0.6
mod_site.c
mod_log.c
mod_ls.c
mod_auth.c
mod_auth_file/0.8.3
mod_auth_unix.c
mod_xfer.c
mod_core.c

And that’s it 🙂 Go and test it to ensure you have achieved the expected results:

This is exactly what I was expecting. Make sure you cannot move out of this dir and you are all set… 🙂

So this is all fine and dandy, but who wants to use regular FTP?  I would hope no one in a business environment anyway… Part II deals with using the mod_tls module packaged with proftpd.  For whatever reason, it was actually a pretty big pain in the a$$ to get this whole thing working…

Advertisements

, , , , , , , , , , , ,

  1. SUN-Jail – Solaris 10 convicted ! Part II Dammit… I forgot to lock the door ! « A Technological Farce

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: