I have been lurking on this list for several months, and now
it's time to come out of the closet.
I am currently looking at 'upgrading' our current defence
mechanisms for this site to a firewall based on the TIS toolkit.
I have had little trouble sorting out the basic toolkit elements,
(well done to all the folks who contributed to the kit),
but now I'm wrestling with the more thorny problem of inbound FTP
and when to chroot.
I would like to be able to:
use netacl as a wrapper to start up a self-built version of in.ftpd
in a chrooted environment under ~ftp (no probs so far)
I would like this in.ftpd to use ~ftp/passwd & group files, but
prevent ANYONE from pulling any of these config files (such as passwd) from
this path. OK its not the _real_ passwd file but it could still cause agro.
so far I have been looking at the wuarchive.wustl.edu implementation
of ftpd, but haven't been able to figure out how to stop access
to the ~/ftp/etc files without performing a second chroot to a 'guestgroup'
This has surely been done before and better by someone on the net.
Questions:
1: does anyone have a favourite ftpd that does this (perhaps via inode
checking to prevent access to specific files)
2: is it sensible in the first place to wrap the entire ftpd in a chroot.
3: is the second chroot any use at all, or is there a better way?
Replies may take some time as I currently only take the digestified Firewalls.
(-; also we people in Europe are always several hours AHEAD of the USA ;-)
Thanks in advance,
und schoenen Tag noch.
______________________RHUNTER @
ESOC .
BITNET________________________
Ray Hunter: Cray Systems on contract to the European Space Agency
Tel. +49 6151 902953 FAX.+49 6151 902908
Room B107, ESOC, Robert Bosch Strasse 5, 64293 DARMSTADT, Germany
|
|
