Solved

FTP problem in 7.3 ? WU-FTP 2.6

Posted on 2002-07-01
17
334 Views
Last Modified: 2013-12-15
I have setup 7.3 linuxbox with customer installation. During the installation, I disable the firewall session and add WU-FTP service.

Problem is:

I have unable to point my user to predefined directory and always mention access restrictions apply.

e.g. BIND user with bind group

530 Please login with USER and PASS.
ftp> user bind
331 Password required for bind.
Password:
230 User bind logged in.  Access restrictions apply.
ftp> pwd
257 "/" is current directory.
ftp> ls


1) no firewall setup is applied
2) remove etc/security
3) remove etc/ftpuser (root)

It seems that there is no problem in 7.1/7.2 but it does not do the same thing in 7.3

it may be the problem from ftpd config, but i do not have any idea in order to make this work

220 localhost.localdomain FTP server (Version wu-2.6.2-5) ready.

Please advise

Edmund
0
Comment
Question by:edmundli
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
17 Comments
 
LVL 4

Expert Comment

by:MFCRich
ID: 7124454
Does the user 'bind' have a home directory listed in '/etc/passwd'? Are you sure you want him to?
0
 

Author Comment

by:edmundli
ID: 7124602
yes, bind is just an example.

does it relate to chroot etc ...
0
 
LVL 20

Expert Comment

by:Gns
ID: 7129767
Yes, there seem to have been a shift so that in RH7.3, all users get locked into their home directory with chroot by default.

Unfortunately, I don't have RH7.3 installed on any machine nearby, so I can't check exactly what to change where.

Probably something in /etc/ftp* though:-)

-- Glenn

0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:edmundli
ID: 7129989
It may happen in 7.2 as well.

I had checked ftpaccess .. but not sure what part have to be changed.
0
 
LVL 20

Expert Comment

by:Gns
ID: 7129998
Could you show us the content of /etc/ftpaccess? Something might "jump out" to fresh eyes(;).

-- Glenn
0
 

Author Comment

by:edmundli
ID: 7133105
# This file controls the behavior of the wu-ftpd
# ftp server.
#
# If you're looking for a graphical frontend to
# editing it, try kwuftpd from the kdeadmin
# package.

# Don't allow system accounts to log in over ftp
deny-uid %-99 %65534-
deny-gid %-99 %65534-
allow-uid ftp
allow-gid ftp

# Chroot all users to their home directory by default
# (comment this out if you don't want to chroot most of your users)
guestuser *
# If you wish to allow user1 and user2 to access other
# directories, use the line below:
# realuser user1,user2


# The ftpchroot group doesn't exist by default, this
# entry is just supplied as an example.
# To chroot a user, modify the line below or create
"ftpaccess" 72L, 1906C                                        7,0-1         Top





































# Don't allow system accounts to log in over ftp
deny-uid %-99 %65534-
deny-gid %-99 %65534-
allow-uid ftp
allow-gid ftp

# Chroot all users to their home directory by default
# (comment this out if you don't want to chroot most of your users)
guestuser *
# If you wish to allow user1 and user2 to access other
# directories, use the line below:
# realuser user1,user2


# The ftpchroot group doesn't exist by default, this
# entry is just supplied as an example.
# To chroot a user, modify the line below or create
"ftpaccess" 72L, 1906C                                        7,0-1         Top




# Don't allow system accounts to log in over ftp
deny-uid %-99 %65534-
deny-gid %-99 %65534-
allow-uid ftp
allow-gid ftp

# Chroot all users to their home directory by default
# (comment this out if you don't want to chroot most of your users)
guestuser root *
# If you wish to allow user1 and user2 to access other
# directories, use the line below:
# realuser user1,user2


# The ftpchroot group doesn't exist by default, this
# entry is just supplied as an example.
# To chroot a user, modify the line below or create
"ftpaccess" 72L, 1906C                                        7,0-1         Top













0
 
LVL 20

Expert Comment

by:Gns
ID: 7138938
OK edmundli, this one's real simple, as it turns out.

You can do one othe following two things:

in /etc/ftpaccess EITHER
comment out the line(s) with "guestuser <whatever> *" (or simply remove the wildcard character "*" from the line(s). Your cut'n'paste looks a little ...strange... Hence the reference to "line(s)" :),

OR

Uncomment or otherwise add a "realuser <username to have 'real user access'>" line.

If you go with the first suggestion, you'll allow all users to access all files (well, normal permissions apply), and if you go with the second, only the select few you explicitly allow will be able to access "the entire system".

I'd go with the second.

-- Glenn
0
 

Author Comment

by:edmundli
ID: 7139472
I had added the realuser line, restart the server, but it is the same


# This file controls the behavior of the wu-ftpd
# ftp server.
#
# If you're looking for a graphical frontend to
# editing it, try kwuftpd from the kdeadmin
# package.

# Don't allow system accounts to log in over ftp
deny-uid %-99 %65534-
deny-gid %-99 %65534-
allow-uid ftp
allow-gid ftp

# The ftpchroot group doesn't exist by default, this
# entry is just supplied as an example.
# To chroot a user, modify the line below or create
# the ftpchroot group and add the user to it.
#
# You will need to setup the required applications
# and libraries in the root directory (set using
# guest-root).
#
# Look at the anonftp package for the files you'll need.
guestgroup ftpchroot

realuser        root
# User classes...
class   all  root,real,guest,anonymous  *

# Set this to your email address
email root@localhost

# Allow 5 mistyped passwords
loginfails 5

# Notify the users of README files at login and when
# changing to a different directory
readme  README*    login
readme  README*    cwd=*

# Messages displayed to the user
message /welcome.msg            login
message .message                cwd=*

# Allow on-the-fly compression and tarring
compress        yes             all
tar             yes             all

# Prevent anonymous users (and partially guest users)
# from executing dangerous commands
chmod           no              guest,anonymous
delete          no              anonymous
overwrite       no              anonymous
rename          no              anonymous

# Turn on logging to /var/log/xferlog
log transfers anonymous,guest,real inbound,outbound

# If /etc/shutmsg exists, don't allow logins
# see ftpshut man page
shutdown /etc/shutmsg

# Ask users to use their email address as anonymous
# password
passwd-check rfc822 warn
0
 
LVL 20

Expert Comment

by:Gns
ID: 7153702
Hmmmm, try it with a regular user, not root.

Also, there are several directives that pertain to root... I'll have to think on what the ramifications would be.

-- Glenn
0
 

Author Comment

by:edmundli
ID: 7282033
any update by using root to establich ftp session ?
0
 
LVL 20

Expert Comment

by:Gns
ID: 7282279
The problem seems to be that you have a
deny-uid %-99 %65534-
deny-gid %-99 %65534-

which will deny user (and group) root (user id==0, group id ==0).
You could probably (I'm writing this at home, and my home LAN isn't working ATM... a NIC has ... toasted. I'll check tomorrow @work. Do remind me: I'm very busy (with Real Work) ATM, and could easily forget) just add similar "allow" lines as for ftp:
allow-uid root
allow-gid root

or just tag them on.

I'll try and remeber to come back with a more definitive answer tomorrow.

Did it work for a regular user?

-- Glenn
0
 
LVL 20

Accepted Solution

by:
Gns earned 100 total points
ID: 7283487
OK, now I've checked. in ftpaccess:
allow-uid root ftp
allow-gid root ftp

Depending on PAM (check the "auth" etries (lines) in /etc/pam.d/ftp) you might also have to comment out root in /etc/ftpusers (or similar)... Reviewed question, I see you already covered that.

Sermon warning! Proceed at your own risk: It's generally not a good idea to let "system accounts", and particularily root accounts, be unrestricted in regards to ftp. If you truly have to have root-enabled ftp, look into turning it into SSH instead. sftp is a very nice (secure) alternative.
But of course, if you have this system on a nonpublic, secured network, there shouldn't be a problem with insecure usages of ftp.

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
ID: 8613297
Um, you still out there edmundli?

-- Glenn
0
 

Expert Comment

by:CleanupPing
ID: 9086604
edmundli:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 20

Expert Comment

by:Gns
ID: 9087874
Here I'd say I'm both tenacious(sp?) and correct.

-- Glenn
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 9906239

No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

Accept GNS's answer

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

pjedmond
EE Cleanup Volunteer
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Daily system administration tasks often require administrators to connect remote systems. But allowing these remote systems to accept passwords makes these systems vulnerable to the risk of brute-force password guessing attacks. Furthermore there ar…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question