Oberon || Library || Module Index || Search Engine || Definition || Module

Ulm's Oberon Library:


FTPUnixPaths - path-based pseudo chroot jails


TYPE PathRec = RECORD (Disciplines.ObjectRec) END;

PROCEDURE CreatePath(VAR path: Path; root, pathname: ARRAY OF CHAR); PROCEDURE CreateDerivedPath(VAR path: Path; oldpath: Path; pathname: ARRAY OF CHAR); PROCEDURE GetRelPath(path: Path; VAR pathname: ARRAY OF CHAR); PROCEDURE GetAbsPath(path: Path; VAR pathname: ARRAY OF CHAR); PROCEDURE Upward(path: Path); PROCEDURE ChangeDir(path: Path; dirname: ARRAY OF CHAR);

PROCEDURE CheckAndProcessSymLinks(path: Path; newfile: BOOLEAN; VAR expandedPath: ARRAY OF CHAR; errors: RelatedEvents.Object) : BOOLEAN;


FTPUnixPaths offers path name operations that allow to realize pseudo chroot jails for FTP server processes that do not run with root privileges which would be required for chroot(2). To avoid accesses outside a given root directory, care has to be taken regarding uplinks via ``..'' and of symbolic links that may point outside the chosen file hierarchy.

CreatePath and CreateDerivedPath create paths that may be later manipulated using Upward and ChangeDir. Before accessing a file or directory, CheckAndProcessSymLinks is to be used to convert a path into a pathname free of symbolic links and uplinks which resides inside the simulated chroot jail.

CreatePath creates path out of pathname that is to be taken relative to root, the assumed pseudo root. CreateDerivedPath creates a new path out of oldpath with relative path pathname. The new path shares its root with the old path.

GetRelPath returns the relative uplink-free pathname of path as string, while GetAbsPath returns the absolute uplink-free pathname including its root. Neither GetRelPath nor GetAbsPath check for symlinks.

ChangeDir appends dirname to path. References to the upward directory (``..'') and to the same directory (``.'') are processed as by the constructors CreateDerivedPath and CheckAndProcessSymLinks. Likewise is the upward link of the pseudo root is interpreted to point to the pseudo root itself. Upward is equivalent to ChangeDir with ``..'' as dirname.

CheckAndProcessSymLinks should be used to extract a path name usable for UnixFiles or similar modules before accessing files or directories. It checks the entire path for symbolic links and interpretes them relative to the pseudo root of path. The last component of path may be non-existant if newfile is set to TRUE. On success, a symlink-free absolute path that points inside of the pseudo root is returned in expandedPath. Access errors, if any, are related to errors.


FTPUnixPaths does not generate any error events on its own.


Pseudo chroot jails are less safe than chroot jails on base of chroot(2):

In summary, FTPUnixPaths helps to restrict FTP accesses to a particular directory and below (a home directory, for example) while running not with super-user privileges. This is an improvement in comparison to FTP servers that, if not logged in anonymously, provide unrestricted access to the whole file system including shared spaces like /tmp. But it is far from offering the security of a chroot jail based on chroot(2).


FTP command handler that implements file and directory accesses on base of this module.


Following limits are silently imposed on all pathnames:
Edited by: borchert, last change: 2001/04/24, revision: 1.1, converted to HTML: 2001/04/24

Oberon || Library || Module Index || Search Engine || Definition || Module