An analysis of establishing chroot FTP service in FreeBSD

1, prepare the basic chroot environment

Before entering the chroot environment, prepare the appropriate settings, in this case we intend to ftpd chroot to the/var/chroot directory.

Because the system has its own ftpd in the/usr/libexec/directory, we need to do the following in/var/chroot:
　　
matthew@bsd# mkdir-p/var/chroot/usr/libexec
　　
Then copy the ftpd to the directory:
　　
matthew@bsd# install-c/usr/libexec/ftpd/var/chroot/usr/libexec
　　
The next thing to do is to copy the libraries required by FTPD to the Chroot directory, and we can use LDD to detect which libraries are required for FTPD Runtime:
　　
matthew@bsd# ldd/usr/libexec/ftpd
/USR/LIBEXEC/FTPD:
Libskey.so.2 =>/usr/lib/libskey.so.2 (0x28074000)
Libmd.so.2 =>/usr/lib/libmd.so.2 (0x2807b000)
Libcrypt.so.2 =>/usr/lib/libcrypt.so.2 (0x28084000)
Libutil.so.3 =>/usr/lib/libutil.so.3 (0x2809d000)
Libpam.so.1 =>/usr/lib/libpam.so.1 (0x280a6000)
Libc.so.4 =>/usr/lib/libc.so.4 (0x280af000)
　　
LDD's running results show that the FTPD runtime requires a library, and now we just have to install these libraries into our chroot directory to:
　　
matthew@bsd# mkdir-p/var/chroot/usr/lib
matthew@bsd# install-c/usr/lib/libskey.so.2/var/chroot/usr/lib
matthew@bsd# install-c/usr/lib/libmd.so.2/var/chroot/usr/lib
matthew@bsd# install-c/usr/lib/libcrypt.so.2/var/chroot/usr/lib
matthew@bsd# install-c/usr/lib/libutil.so.3/var/chroot/usr/lib
matthew@bsd# install-c/usr/lib/libpam.so.1/var/chroot/usr/lib
matthew@bsd# install-c/usr/lib/libc.so.4/var/chroot/usr/lib
　　
2. Enter the chroot environment for the first time

Now we can try to see if FTPD can run in our chroot environment:
　　
matthew@bsd# chroot/var/chroot/usr/libexec/ftpd
ELF interpreter/usr/libexec/ld-elf.so.1 not found
　　
Program error, according to the hint in/usr/libexec also missing file ld-elf.so.1, because our ftpd is running in the chroot environment, so we should copy ld-elf.so.1 to our chroot environment, that is/var/chroot/ In Usr/libexec:
　　
matthew@bsd# install-c/usr/libexec/ld-elf.so.1/var/chroot/usr/libexec
　　
Now we try to get into our chroot environment again:
　　
matthew@bsd# chroot/var/chroot/usr/libexec/ftpd
　　
There's no hint this time that our runtime is ready, but since FTPD automatically quits when it's run without the-d parameter, so now we're not able to remotely log on to the FTP service, then we're trying to add a parameter to the FTPD-D:
　　
matthew@bsd# chroot/var/chroot/usr/libexec/ftpd-d
　　
The result is the same as last time, by looking at the Chroot (8) Manual, we can see that the chroot syntax is: chroot newroot [command]

That is, the command cannot be followed by an argument, which means that we write a simple shell script that runs FTPD, which is named ftpd.sh and stored in/var/chroot/usr/libexec, which reads:
　　
#!/bin/sh
/usr/libexec/ftpd-d-4
　　
Since we don't need to support IPV6, we've added a parameter-4 to support IPV4, and you can add some other parameters as well.

Next, add execution permissions to the script: matthew@bsd# chmod a+x/var/chroot/usr/libexec/ftpd.sh

To run this script, we also need to copy/bin/sh to our chroot environment:

matthew@bsd# mkdir/var/chroot/bin
matthew@bsd# install-c /bin/sh/var/chroot/bin

Next we will prepare the/ETC directory for the chroot environment. The first thing to replicate is the/etc/services file, because it defines the port number and protocol used by FTPD:

matthew@bsd# mkdir/var/chroot/etc
matthew@bsd# cp/etc/ SERVICES/VAR/CHROOT/ETC

Because you need to authenticate users, you need to replicate MASTER.PASSWD and group:

matthew@bsd# cp/etc/group/var/chroot/ etc
matthew@bsd# cp/etc/master.passwd/var/chroot/etc

Edit/var/chroot/etc/master.passwd and/var/chroot/etc/ Group, delete users and unnecessary groups that do not need to use FTP, and note that you must use PWD_MKDB to generate the password database when you change the MASTER.PASSWD, because at this point we need to store the password database file in/var/chroot/etc instead of the default /ETC, so specify the database storage location after pwd_mkdb with the-D parameter:

matthew@bsd# pwd_mkdb-d/var/chroot/etc/var/chroot/etc/master.passwd

If the execution succeeds at this point you will see two more files in the/var/chroot/etc/directory: pwd.db, spwd.db.

Let us once again enter our chroot environment:
　　
matthew@bsd# chroot/var/chroot/usr/libexec/ftpd.sh
　　
Now we can log in to our FTP server for this chroot.
　　
3. End work

Create a home directory for each user, and note that it is under construction in/var/chroot/home.

Generate the Ftpusers file in/var/chroot/etc/to include the user name of the user who is not allowed to log on to FTP, to prevent some users from logging in.

The Ftpchroot file is generated in/var/chroot/etc/, which restricts users to access to only files in their home directory, and does not have access to anything outside of the home. Add the user name of the user you want to restrict to.

The Ftpwelcome file is generated in/var/chroot/etc/, which is useful for displaying welcome information when the user connects to our server.

The FTPMOTD file is generated in/var/chroot/etc/, which is useful when the user logs in to the server to display the welcome information. please contact the site, timely note your name. Contact Email: edu#chinaz.com (change # to @).