GridFTP and chroot

From GridSiteWiki

Using GridFTP from VDT1.2.2rh9_LCG-1. This is probably the simplest way to set up chroot - using ftp guest accounts. The GridFTP code is still running with root=/, and the chroot is only done once the user has been selected. This isn't as secure as a full chroot would be, but is a lot easier to set up (no need for Globus shared libs in the chroot etc.)

Basic script to start gridftp: 

#!/bin/sh
export LD_LIBRARY_PATH=/opt/globus/lib
export GRIDMAPDIR=/etc/grid-security/gridmapdir
/opt/globus/sbin/in.ftpd -v -s -p 2811 -a

The -a option ensures that /etc/ftpaccess is consulted (it's still looked for there, in /etc, even though the rest of Globus is installed in /opt/globus)

/etc/ftpaccess needs to set all users as guest, and you can do this by copying /opt/globus/etc/ftpaccess to /etc/ftpaccess and adding these lines at the end: 

guestgroup *
guest-root /grid/local

This means all users will be chroot'ed to /grid/local once they have authenticated.

GridFTP will work fine on the /grid/local filesystem provided by SlashGrid, using the pool accounts directory to map UIDs back to DNs.

If this is done, only directories and symbolic links need to be created. Assuming that the SlashGrid option --local-root has value /var/www/html, then: 

/var/www/html/etc/localtime -> /etc/localtime
/var/www/html/etc/passwd -> /etc/passwd
/var/www/html/etc/grid-security/certificates -> /etc/grid-security/certificates/
/var/www/html/etc/.gacl

Where the final GACL file allows any user to read the files (including root which has no DN): 

<?xml version="1.0"?>
<gacl version="0.0.1">
<entry>
<any-user/>
<allow><list/><read/></allow>
</entry>
</gacl>

SlashGrid's local filesystem hides that the /etc files are really symbolic links (which GridFTP doesn't like.)

With this done, URLs like gsiftp://host.name:2811/file.txt map to /grid/local/file.txt, which in turns maps to /var/www/html/file.txt - consistent with http://host.name:777/file.txt etc if /var/www/html is the Apache DocumentRoot. The rest of the / filesystem on the host isn't accessible via GridFTP.

Retrieved from "http://www.gridsite.org/wiki/GridFTP_and_chroot"