ProFTPD module mod_vroot
This module is contained in the
mod_vroot.c file for
ProFTPD 1.3.x, and is not compiled by default. Installation
instructions are discussed here.
The purpose of this module to is to implement a virtual chroot capability
that does not require root privileges. The mod_vroot module
provides this capability by using ProFTPD's FS API, available as of 1.2.8rc1.
The most current version of
mod_vroot can be found at:
http://www.castaglia.org/proftpd/
Author
Please contact TJ Saunders <tj at castaglia.org> with any questions, concerns, or suggestions regarding this module.Thanks
2003-08-26: Thanks to Oskar Liljeblad for the elegant patch that added symlink support.Directives
VRootAlias
Syntax: VRootAlias src-path dst-pathDefault: None
Context: server config,
<VirtualHost>, <Global>Module: mod_vroot
Compatibility: 1.3.2 and later The
VRootAlias directive is used to create an "alias" of a
directory outside of the chroot area into the chroot. The dst-path
parameter is a relative path, relative to the chroot area (i.e.
the directory in which the session starts). The src-path parameter,
on the other hand, is an absolute path, and may be to a file or
directory.
For example, you might map a shared upload directory into a user's home directory using:
<IfModule mod_vroot.c>
VRootEngine on
DefaultRoot ~
VRootAlias /var/ftp/upload ~/upload
</IfModule>
This will automatically create an "upload" directory to appear in the
chroot area (in this case, the user's home directory).
Note that this directive will not work if the
VRootServerRoot is used.
VRootEngine
Syntax: VRootEngine on|offDefault: None
Context: server config,
<VirtualHost>, <Global>Module: mod_vroot
Compatibility: 1.2.8rc1 and later The
VRootEngine directive enables the virtual chroot engine
implemented by mod_vroot. If enabled, the virtual chroot will
be used in place of the operating system's chroot(2). This
directive affects any DefaultRoot directives and any
<Anonymous> contexts within the server context in which
the VRootEngine directive appears.
VRootLog
Syntax: VRootLog fileDefault: None
Context: server config,
<VirtualHost>, <Global>Module: mod_vroot
Compatibility: 1.3.0rc1 and later The
VRootLog directive is used to specify a log file for
mod_vroot's reporting on a per-server basis. The file
parameter given must be the full path to the file to use for logging.
VRootOptions
Syntax: VRootOptions opt1 ...Default: None
Context: "server config"
<VirtualHost>, <Global>Module: mod_vroot
Compatibility: 1.2.9rc2 and later The
VRootOptions directive is used to configure various optional
behavior of mod_vroot.
Example:
VRootOptions allowSymlinksThe currently implemented options are:
allowSymlinks
Normally, any symlinks that point outside of the vroot area simply do not work. When theallowSymlinksoption is enabled, these symlinks will be allowed. Note that by enabling symlinks, the efficacy of the vroot "jail" is reduced.
VRootServerRoot
Syntax: VRootServerRoot pathDefault: None
Context: "server config"
<VirtualHost>, <Global>Module: mod_vroot
Compatibility: 1.3.2rc1 and later The
VRootServerRoot directive is used to configure a directory
to which the mod_vroot module will perform a real chroot.
The idea is that each <VirtualHost> can have its own
directory to which a real chroot(2) system call is made;
the user-specific home directories will be virtual roots underneath this
directory. Thus some measure of security, via the chroot(2)
system call, is provided by the kernel, while still allowing symlinked shared
folders among users of this <VirtualHost>.
For example:
<VirtualHost a.b.c.d>
VRootEngine on
VRootServerRoot /etc/ftpd/a.b.c.d/
VRootOptions allowSymlinks
DefaultRoot ~
...
</VirtualHost>
See also: VRootOptions
Installation
After unpacking and patching the latest proftpd-1.3.x source code, copy themod_vroot.c file into:
proftpd-dir/contrib/Then follow the normal steps for using third-party modules in proftpd:
./configure --with-modules=mod_vroot make make install
Author: $Author: tj $
Last Updated: $Date: 2009/10/19 16:30:18 $
© Copyright 2000-2009 TJ Saunders
All Rights Reserved
No comments:
Post a Comment