________________________________________________________________________
Applicable Environment
________________________________________________________________________
- Topic: How to set up an ftp chroot environment
- SDP: 4.25, 6.3.0SP3, 6.4.1, 6.5.0
- Target: Any supported target
________________________________________________________________________
Recommendation
________________________________________________________________________
How to set up an ftp chroot environment
------------------------------------------------------------------------------
Overview
------------------------------------------------------------------------------
The basic idea is that chroot "changes the root (/)" for a user. In the case of ftp, the new root is the user's home directory. What this means is that when the user is logged in via ftp, the client sees /home/username as / and interprets everything from there. This means that anything outside /home/username is completely inaccessible to the user. If an app is needed, it must be added to the user's home directory as it would to a regular QNX installation (usually in /bin, which translates to /home/username/bin in the ftp chroot jail). The following is an example of how to add ls to a chroot ftp jail.
------------------------------------------------------------------------------
Create a new user/group
------------------------------------------------------------------------------
1.Username: ftpguest
2. Home directory: /home/ftpguest
3. Group: [ftp group]
For information on Managing User Accounts under QNX/Neutrino:
6.5.0:
http://www.qnx.com/developers/docs/6.5.0/index.jsp?topic=/com.qnx.doc.neutrino_user_guide/accounts.html
6.4.1:
http://www.qnx.com/developers/docs/6.4.1/neutrino/user_guide/accounts.html
6.3.0 SP3:
http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/user_guide/accounts.html
4.25:
http://www.qnx.com/developers/docs/qnx_4.25_docs/qnx4/user_guide/accounts.html
------------------------------------------------------------------------------
Make sure ftp will work
------------------------------------------------------------------------------
1. Make sure that the file /etc/ftpusers exists that that it either has * (everyone) or the ftp user(s) listed.
For more information on this:
6.5.0:
http://www.qnx.com/developers/docs/6.5.0/index.jsp?topic=/com.qnx.doc.neutrino_utilities/f/ftpusers.html
6.4.1:
http://www.qnx.com/developers/docs/6.4.1/neutrino/utilities/f/ftpusers.html
6.3.0 SP3;
http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/utilities/f/ftpusers.html
------------------------------------------------------------------------------
Create the chroot jail
------------------------------------------------------------------------------
1. Add the user to /etc/ftpchroot
-----a. Simply add the username on a line by itself
For more information:
6.5.0:
http://www.qnx.com/developers/docs/6.5.0/index.jsp?topic=/com.qnx.doc.neutrino_utilities/f/ftpchroot.html
6.4.1:
http://www.qnx.com/developers/docs/6.4.1/neutrino/utilities/f/ftpchroot.html
6.3.0 SP3:
http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/utilities/f/ftpchroot.html
------------------------------------------------------------------------------
Find out what we need for the app we want to add to the user's chroot jail
------------------------------------------------------------------------------
1. run objdump on the app, like this:
-----a. "
C:\QNX650\host\win32\x86\usr\bin\ntox86-objdump.exe" -x "
C:\QNX650\target\qnx6\x86\bin\ls" | grep "NEEDED"
-----b. The location of objdump and ls might be different, depending on the Momentics install location
-----c. Make sure to pick the correct binary to run against, in this case we used the x86 version of ls but an arm processor would have required the arm version...
2. The output of objdump will be the libs needed to run the program.
Example - ls
D:\>ntox86-objdump.exe -x
C:\QNX650\target\qnx6\x86\bin\ls | grep NEEDED
NEEDED
libc.so.3
In this case, we can see that we'll need
libc.so.3. Knowing we're running on an x86 platform, we can find
libc.so.3 at:
C:\QNX650\target\qnx6\x86\lib\libc.so.3 (path may vary depending on Momentics install)
------------------------------------------------------------------------------
Setup the home directory for the app we want to use
------------------------------------------------------------------------------
1. /home/ftpguest/bin
2. /home/ftpguest/usr/
3. /home/ftpguest/usr/lib
Copy over the binary and library. In the case of ls, our example, we only need one file. Here's where it gets a bit tricky, though. The file needed is
libc.so.3 but the file that will be looked for
ldqnx.so.2, which is located in /usr/lib on a QNX target and is actually just a link to /proc/boot/
libc.so.3. This is also the case for any other apps so if
libc.so.3 is needed, it will need to be renamed.
1. Copy
C:\QNX650\target\qnx6\x86\lib\libc.so.3 into the newly created home folder under /home/ftpguest/usr/lib
2. Rename the file from
libc.so.3 to
ldqnx.so.2
NOTE: This guide assumes 6.5 or later, for 6.4 and lower versions,
libc.so.2 might be specified as needed by objdump. This is still renamed to
ldqnx.so.2, it's simply an older version of libc.
For more information about finding needed libraries:
6.5.0:
http://www.qnx.com/developers/docs/6.5.0/index.jsp?topic=/com.qnx.doc.neutrino_building/config.html
6.4.1:
http://www.qnx.com/developers/docs/6.4.1/neutrino/building/config.html
6.3.0 SP3:
http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/building/config.html
------------------------------------------------------------------------------
Change the permissions
------------------------------------------------------------------------------
1. chown -R ftpguest /home/ftpguest
2. chgrp -R [ftp group] /home/ftpguest
-----a. I actually set the group to root which means only a root user can change the programs or libraries (or the owner). The only thing to watch for here is that the group has to be one that the admin user has access to (if the admin user isn't root).
For more information on file permissions:
6.5.0:
http://www.qnx.com/developers/docs/6.5.0/index.jsp?topic=/com.qnx.doc.neutrino_user_guide/files.html
6.4.1:
http://www.qnx.com/developers/docs/6.4.1/neutrino/user_guide/files.html
6.3.0 SP3:
http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/user_guide/files.html
4.25:
http://www.qnx.com/developers/docs/qnx_4.25_docs/qnx4/user_guide/accounts.html#FILEPERM
That's it, we've created a user and a jail for them. We then added ls and the library it needs, making sure to put them in the correct locations. This example will work out of the box but it would be a good idea to further delve into permissions for the files and directories, although that isn't strictly necessary. Any Unix file permission tutorial will suffice for that.
An important note to add is that the jailed user cannot access anything outside their jail which, in this case, means that they cannot access anything deeper than their home directory. This is to prevent the user from accessing system files. For this reason, also, symlinks in a user's directory that link outside the 'jail', will fail with an error.
________________________________________________________________________
NOTE:
This entry has been validated against the SDP version listed above. Use
caution when considering this advice for any other SDP version. For
supported releases, please reach out to QNX Technical Support if you have any questions/concerns. ________________________________________________________________________
