Michael C. Richardson
Sandelman Software Works Inc.
mcr@sandelman.ottawa.on.ca
November 1, 1997
SurfServers provides virtual domain hosting. Customers use FTP to update their web pages. Occasionally, customers would prefer to login to the web servers and edit files directly, or change file ownership modes. This document describes a project to provide a login facility without compromising the web server system security.
Users need to login, be chrooted to their home directory, and have access to the following utilities:
The home directories of users are currently set up for FTP access. The FTP server chroots to the user's home directory to keep the user from accessing files outside of their control.
The home directory currently has:
host:~ $ ls -lR total 3 drwxr-xr-x 2 root client 512 Oct 29 20:00 bin drwxr-xr-x 2 root client 512 Oct 30 14:17 etc drwxr-xr-x 2 root client 512 Oct 29 20:00 shlib ./bin: total 123 -r-xr-xr-x 1 root client 6600 Oct 29 20:00 compress -r-xr-xr-x 1 root client 45056 Oct 29 20:00 gzip -r-xr-xr-x 1 root client 7200 Oct 29 20:00 ls -r-xr-xr-x 1 root client 65536 Oct 29 20:00 pax ./etc: total 2 -r--r--r-- 1 root client 307 Oct 29 20:00 group -r--r--r-- 1 root client 107 Oct 29 20:00 localtime ./shlib: total 424 -r-xr-xr-x 1 root client 419972 Oct 29 20:00 libc_s.3.0.0
At present there is already a virtual root for the POP mail account maintenance. The web pages, however, are not kept at this location, nor are the virtual host and virtual POP areas.
The virtual mail and virtual POP facility will be adjusted to use the login ID's home directory for all information. This eliminate the need for the /var/virtualmail directory. The contents of each directory will be merged with the directory in /var/www
It it is proposed that the names used in /var/www be the domainname (minus any www prefix) rather than associated with the login id used to maintain the directory.
The additional programs: pico, chmod, sh, rm, mv, cp, and unzip will be added. Appropriate terminal definitions will be added.
The BSDi login program is very flexible, but can not provide the required function: namely chrooting to the home directory before invoking the shell.
A small wrapper for the user's shell be written. There are two ways that this can be done:
A disadvantage from a security point of view of option 1 is that programs in the chroot'ed area will be run as root (telnetd, login, ftpd). In addition, changes would be required to the FTP system, which would otherwise be unchanged.
A disadvantage of option 2 is that a set-user-id program is required. The size of the program is very small, and it should be easy to determine that all error conditions are handled properly. Option 2 is recommended.
A third option is to modify the BSDi /bin/login source code. With BSDi source code, it would be an easy change. Without a source code license, then it is not possible to do. A change request to BSDi should be made for a chroot option.
A wrapper to chroot before invoking the user's shell.
The /var/www and /var/virtualmail directories will be merged.
The popmail scripts adjusted to put everything in a single directory, and to include the required binaries for secure logins.
The new POPmail scripts will be installed, and the directories merged. The changes will be done by 10am EST. Surfservers will ask their customers to confirm that there are no problems. Any problems resulting will be fixed starting at 4pm EST of that day.
The wrapper will be installed to chroot the accounts. It will be tested. Any problems reported will be fixed starting on the morning of 1997/11/5.
The price is US $300. All source code will be provided. Superuser access will be required.
Customer web sites may be down for up to an hour at the time that the directories are merged. It is hoped that the period will in fact be seconds.