Solved

FTP problem in 7.3 ? WU-FTP 2.6

Posted on 2002-07-01
17
329 Views
Last Modified: 2013-12-15
I have setup 7.3 linuxbox with customer installation. During the installation, I disable the firewall session and add WU-FTP service.

Problem is:

I have unable to point my user to predefined directory and always mention access restrictions apply.

e.g. BIND user with bind group

530 Please login with USER and PASS.
ftp> user bind
331 Password required for bind.
Password:
230 User bind logged in.  Access restrictions apply.
ftp> pwd
257 "/" is current directory.
ftp> ls


1) no firewall setup is applied
2) remove etc/security
3) remove etc/ftpuser (root)

It seems that there is no problem in 7.1/7.2 but it does not do the same thing in 7.3

it may be the problem from ftpd config, but i do not have any idea in order to make this work

220 localhost.localdomain FTP server (Version wu-2.6.2-5) ready.

Please advise

Edmund
0
Comment
Question by:edmundli
17 Comments
 
LVL 4

Expert Comment

by:MFCRich
ID: 7124454
Does the user 'bind' have a home directory listed in '/etc/passwd'? Are you sure you want him to?
0
 

Author Comment

by:edmundli
ID: 7124602
yes, bind is just an example.

does it relate to chroot etc ...
0
 
LVL 20

Expert Comment

by:Gns
ID: 7129767
Yes, there seem to have been a shift so that in RH7.3, all users get locked into their home directory with chroot by default.

Unfortunately, I don't have RH7.3 installed on any machine nearby, so I can't check exactly what to change where.

Probably something in /etc/ftp* though:-)

-- Glenn

0
 

Author Comment

by:edmundli
ID: 7129989
It may happen in 7.2 as well.

I had checked ftpaccess .. but not sure what part have to be changed.
0
 
LVL 20

Expert Comment

by:Gns
ID: 7129998
Could you show us the content of /etc/ftpaccess? Something might "jump out" to fresh eyes(;).

-- Glenn
0
 

Author Comment

by:edmundli
ID: 7133105
# This file controls the behavior of the wu-ftpd
# ftp server.
#
# If you're looking for a graphical frontend to
# editing it, try kwuftpd from the kdeadmin
# package.

# Don't allow system accounts to log in over ftp
deny-uid %-99 %65534-
deny-gid %-99 %65534-
allow-uid ftp
allow-gid ftp

# Chroot all users to their home directory by default
# (comment this out if you don't want to chroot most of your users)
guestuser *
# If you wish to allow user1 and user2 to access other
# directories, use the line below:
# realuser user1,user2


# The ftpchroot group doesn't exist by default, this
# entry is just supplied as an example.
# To chroot a user, modify the line below or create
"ftpaccess" 72L, 1906C                                        7,0-1         Top





































# Don't allow system accounts to log in over ftp
deny-uid %-99 %65534-
deny-gid %-99 %65534-
allow-uid ftp
allow-gid ftp

# Chroot all users to their home directory by default
# (comment this out if you don't want to chroot most of your users)
guestuser *
# If you wish to allow user1 and user2 to access other
# directories, use the line below:
# realuser user1,user2


# The ftpchroot group doesn't exist by default, this
# entry is just supplied as an example.
# To chroot a user, modify the line below or create
"ftpaccess" 72L, 1906C                                        7,0-1         Top




# Don't allow system accounts to log in over ftp
deny-uid %-99 %65534-
deny-gid %-99 %65534-
allow-uid ftp
allow-gid ftp

# Chroot all users to their home directory by default
# (comment this out if you don't want to chroot most of your users)
guestuser root *
# If you wish to allow user1 and user2 to access other
# directories, use the line below:
# realuser user1,user2


# The ftpchroot group doesn't exist by default, this
# entry is just supplied as an example.
# To chroot a user, modify the line below or create
"ftpaccess" 72L, 1906C                                        7,0-1         Top













0
 
LVL 20

Expert Comment

by:Gns
ID: 7138938
OK edmundli, this one's real simple, as it turns out.

You can do one othe following two things:

in /etc/ftpaccess EITHER
comment out the line(s) with "guestuser <whatever> *" (or simply remove the wildcard character "*" from the line(s). Your cut'n'paste looks a little ...strange... Hence the reference to "line(s)" :),

OR

Uncomment or otherwise add a "realuser <username to have 'real user access'>" line.

If you go with the first suggestion, you'll allow all users to access all files (well, normal permissions apply), and if you go with the second, only the select few you explicitly allow will be able to access "the entire system".

I'd go with the second.

-- Glenn
0
 

Author Comment

by:edmundli
ID: 7139472
I had added the realuser line, restart the server, but it is the same


# This file controls the behavior of the wu-ftpd
# ftp server.
#
# If you're looking for a graphical frontend to
# editing it, try kwuftpd from the kdeadmin
# package.

# Don't allow system accounts to log in over ftp
deny-uid %-99 %65534-
deny-gid %-99 %65534-
allow-uid ftp
allow-gid ftp

# The ftpchroot group doesn't exist by default, this
# entry is just supplied as an example.
# To chroot a user, modify the line below or create
# the ftpchroot group and add the user to it.
#
# You will need to setup the required applications
# and libraries in the root directory (set using
# guest-root).
#
# Look at the anonftp package for the files you'll need.
guestgroup ftpchroot

realuser        root
# User classes...
class   all  root,real,guest,anonymous  *

# Set this to your email address
email root@localhost

# Allow 5 mistyped passwords
loginfails 5

# Notify the users of README files at login and when
# changing to a different directory
readme  README*    login
readme  README*    cwd=*

# Messages displayed to the user
message /welcome.msg            login
message .message                cwd=*

# Allow on-the-fly compression and tarring
compress        yes             all
tar             yes             all

# Prevent anonymous users (and partially guest users)
# from executing dangerous commands
chmod           no              guest,anonymous
delete          no              anonymous
overwrite       no              anonymous
rename          no              anonymous

# Turn on logging to /var/log/xferlog
log transfers anonymous,guest,real inbound,outbound

# If /etc/shutmsg exists, don't allow logins
# see ftpshut man page
shutdown /etc/shutmsg

# Ask users to use their email address as anonymous
# password
passwd-check rfc822 warn
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 20

Expert Comment

by:Gns
ID: 7153702
Hmmmm, try it with a regular user, not root.

Also, there are several directives that pertain to root... I'll have to think on what the ramifications would be.

-- Glenn
0
 

Author Comment

by:edmundli
ID: 7282033
any update by using root to establich ftp session ?
0
 
LVL 20

Expert Comment

by:Gns
ID: 7282279
The problem seems to be that you have a
deny-uid %-99 %65534-
deny-gid %-99 %65534-

which will deny user (and group) root (user id==0, group id ==0).
You could probably (I'm writing this at home, and my home LAN isn't working ATM... a NIC has ... toasted. I'll check tomorrow @work. Do remind me: I'm very busy (with Real Work) ATM, and could easily forget) just add similar "allow" lines as for ftp:
allow-uid root
allow-gid root

or just tag them on.

I'll try and remeber to come back with a more definitive answer tomorrow.

Did it work for a regular user?

-- Glenn
0
 
LVL 20

Accepted Solution

by:
Gns earned 100 total points
ID: 7283487
OK, now I've checked. in ftpaccess:
allow-uid root ftp
allow-gid root ftp

Depending on PAM (check the "auth" etries (lines) in /etc/pam.d/ftp) you might also have to comment out root in /etc/ftpusers (or similar)... Reviewed question, I see you already covered that.

Sermon warning! Proceed at your own risk: It's generally not a good idea to let "system accounts", and particularily root accounts, be unrestricted in regards to ftp. If you truly have to have root-enabled ftp, look into turning it into SSH instead. sftp is a very nice (secure) alternative.
But of course, if you have this system on a nonpublic, secured network, there shouldn't be a problem with insecure usages of ftp.

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
ID: 8613297
Um, you still out there edmundli?

-- Glenn
0
 

Expert Comment

by:CleanupPing
ID: 9086604
edmundli:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 20

Expert Comment

by:Gns
ID: 9087874
Here I'd say I'm both tenacious(sp?) and correct.

-- Glenn
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 9906239

No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

Accept GNS's answer

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

pjedmond
EE Cleanup Volunteer
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This is the error message I got (CODE) Error caused by incompatible libmp3lame 3.98-2 with ffmpeg I've googled this error message and found out sometimes it attaches this note "can be treated with downgrade libmp3lame to version 3.97 or 3.98" …
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now