Isilon: OneFS 8.X and Later: How to lock-chroot jail- FTP users into a specific directory

The following will be covered:

• Reviewing current FTP settings
• Explanation of commonly adjusted settings
• Default Behaviors
• Routing Users to a Specific Directory
• Restricting Users to a Directory Tree

Reviewing current FTP settings

sa8004-1# isi ftp view Accept Timeout: 1m Allow Anon Access: No Allow Anon Upload: Yes Allow Dirlists: Yes Allow Downloads: Yes Allow Local Access: Yes Allow Writes: Yes Always Chdir Homedir: Yes Anon Chown Username: root Anon Password List: - Anon Root Path: /ifs/home/ftp Anon Umask: 0077 Ascii Mode: off Chroot Exception List: - Chroot Local Mode: none Connect Timeout: 1m Data Timeout: 5m Denied User List: - Dirlist Localtime: No Dirlist Names: hide File Create Perm: 0666 Limit Anon Passwords: No Local Root Path: - Local Umask: 0077 Server To Server: No Session Support: Yes Session Timeout: 5m User Config Dir: - FTP Service Enabled: Yes

Commonly adjusted settings

There are a few settings related to how users are routed on login that often get changed:

• Always Chdir (change working directory) Homedir (home directory)
  • isi ftp modify --always-chdir-homedir=[true|false]
  • Defines whether or not the Isilon will allow a user to FTP right into a directory other than their starting one
• Chroot Exception List
  • isi ftp modify --chroot-exception-list=["comma separated list of usernames"]
  • Defines who gets to bypass Chroot Local Mode
• Chroot Local Mode
  • isi ftp modify --chroot-local-mode=['all','all-with-exceptions','none','none-with-exceptions']
  • Defines whether or not chroot is applied and how we apply it
    • all | User access is limited to Local Root Path and children
    • all-with-exceptions | All users except those in the Chroot Exception List are limited to Local Root Path and children
    • none | User access is not limited to the Local Root Path
    • none-with-exceptions | No users except those in the Chroot Exception List are limited to Local Root Path and children
• Local root path
  • isi ftp modify --local-root-path=['/ifs/ftp/path']
  • This defines where FTP users are routed on login. If left blank, it defaults to the user homedir

Default FTP behaviors

Here is how the FTP service will behave by default.

• Allow Anon Access: No
• Always Chdir Homedir: Yes
• Chroot Local Mode: none
• Local root Path: -

This means that only users that exist on an Auth provider will be allowed to access the cluster by FTP. The system will always start a connection by sending them to their root directories, and will then allow them to browse freely (based on permission evaluation). Since Local Root Path is undefined, users will be routed to the path specified in their user profile. You can check that with isi auth users $username | grep Home where $username is replaced with the username you are checking. Here s an example with a local user:

sa8004-1# isi auth users view xavier | grep Home Home Directory: /ifs/home/xavier

In the default configuration, the user above would connect to the Isilon, be routed to /ifs/home/xavier (regardless of path set on connection), and could then change directories to /ifs/home/ since Chroot Local Mode is set to None.

Routing Users to a Specific Directory

By default, users connecting to the OneFS FTP service will be routed to their home directory. However customers often rather that FTP work more like a dropbox. In that case, all you have to edit the setting Local Root Path. This will cause users to route to that path instead of their home directory. Setting the value to <blank> will reset it to home directories.

Here are examples of those commands:

# Routing to /ifs/ftp sa8004-1# isi ftp modify --local-root-path=/ifs/ftp # Restoring to default sa8004-1# isi ftp modify --local-root-path=''

Restricting Users to a Directory Tree

By default, users connecting to the OneFS FTP service are able to see the entire file system, and navigate it as allowed by their permissions (we still check username etc), however many customers prefer that their users remain restricted only to the portion of the file system relevant to them. This is accomplished with the setting Chroot Local Mode. When that setting is applied to a user, they will only be able to navigate to or see files underneath their Root Path. By default this is set to none, but there are 4 different applications of the setting.

Adjust this setting with isi ftp modify --chroot-local-mode=['all','all-with-exceptions','none','none-with-exceptions']

• all | User access is limited to Local Root Path and children
• all-with-exceptions | All users except those in the Chroot Exception List are limited to Local Root Path and children
• none | User access is not limited to the Local Root Path
• none-with-exceptions | No users except those in the Chroot Exception List are limited to Local Root Path and children

Add exceptions with isi ftp modify --chroot-exception-list=["comma separated list of usernames"]

Here is an example of limiting all but one user to /ifs/ftp. That one user will still start their connection, but will be able to see the rest of /ifs/

# Adding user to exception list sa8004-1# isi ftp modify --chroot-exception-list=xavier # Routing all logins to `/ifs/ftp` sa8004-1# isi ftp modify --local-root-path=/ifs/ftp # Limiting everyone by `xavier` to the Local Root Path sa8004-1# isi ftp modify --chroot-local-mode=all-with-exceptions

Notes

Command Reference:

• PowerScale OneFS CLI Administration Guide
  • This Admin Guide does not define behavior of all commands