Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

FTP problem in 7.3 ? WU-FTP 2.6

Posted on 2002-07-01
17
332 Views
Last Modified: 2013-12-15
I have setup 7.3 linuxbox with customer installation. During the installation, I disable the firewall session and add WU-FTP service.

Problem is:

I have unable to point my user to predefined directory and always mention access restrictions apply.

e.g. BIND user with bind group

530 Please login with USER and PASS.
ftp> user bind
331 Password required for bind.
Password:
230 User bind logged in.  Access restrictions apply.
ftp> pwd
257 "/" is current directory.
ftp> ls


1) no firewall setup is applied
2) remove etc/security
3) remove etc/ftpuser (root)

It seems that there is no problem in 7.1/7.2 but it does not do the same thing in 7.3

it may be the problem from ftpd config, but i do not have any idea in order to make this work

220 localhost.localdomain FTP server (Version wu-2.6.2-5) ready.

Please advise

Edmund
0
Comment
Question by:edmundli
17 Comments
 
LVL 4

Expert Comment

by:MFCRich
ID: 7124454
Does the user 'bind' have a home directory listed in '/etc/passwd'? Are you sure you want him to?
0
 

Author Comment

by:edmundli
ID: 7124602
yes, bind is just an example.

does it relate to chroot etc ...
0
 
LVL 20

Expert Comment

by:Gns
ID: 7129767
Yes, there seem to have been a shift so that in RH7.3, all users get locked into their home directory with chroot by default.

Unfortunately, I don't have RH7.3 installed on any machine nearby, so I can't check exactly what to change where.

Probably something in /etc/ftp* though:-)

-- Glenn

0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:edmundli
ID: 7129989
It may happen in 7.2 as well.

I had checked ftpaccess .. but not sure what part have to be changed.
0
 
LVL 20

Expert Comment

by:Gns
ID: 7129998
Could you show us the content of /etc/ftpaccess? Something might "jump out" to fresh eyes(;).

-- Glenn
0
 

Author Comment

by:edmundli
ID: 7133105
# This file controls the behavior of the wu-ftpd
# ftp server.
#
# If you're looking for a graphical frontend to
# editing it, try kwuftpd from the kdeadmin
# package.

# Don't allow system accounts to log in over ftp
deny-uid %-99 %65534-
deny-gid %-99 %65534-
allow-uid ftp
allow-gid ftp

# Chroot all users to their home directory by default
# (comment this out if you don't want to chroot most of your users)
guestuser *
# If you wish to allow user1 and user2 to access other
# directories, use the line below:
# realuser user1,user2


# The ftpchroot group doesn't exist by default, this
# entry is just supplied as an example.
# To chroot a user, modify the line below or create
"ftpaccess" 72L, 1906C                                        7,0-1         Top





































# Don't allow system accounts to log in over ftp
deny-uid %-99 %65534-
deny-gid %-99 %65534-
allow-uid ftp
allow-gid ftp

# Chroot all users to their home directory by default
# (comment this out if you don't want to chroot most of your users)
guestuser *
# If you wish to allow user1 and user2 to access other
# directories, use the line below:
# realuser user1,user2


# The ftpchroot group doesn't exist by default, this
# entry is just supplied as an example.
# To chroot a user, modify the line below or create
"ftpaccess" 72L, 1906C                                        7,0-1         Top




# Don't allow system accounts to log in over ftp
deny-uid %-99 %65534-
deny-gid %-99 %65534-
allow-uid ftp
allow-gid ftp

# Chroot all users to their home directory by default
# (comment this out if you don't want to chroot most of your users)
guestuser root *
# If you wish to allow user1 and user2 to access other
# directories, use the line below:
# realuser user1,user2


# The ftpchroot group doesn't exist by default, this
# entry is just supplied as an example.
# To chroot a user, modify the line below or create
"ftpaccess" 72L, 1906C                                        7,0-1         Top













0
 
LVL 20

Expert Comment

by:Gns
ID: 7138938
OK edmundli, this one's real simple, as it turns out.

You can do one othe following two things:

in /etc/ftpaccess EITHER
comment out the line(s) with "guestuser <whatever> *" (or simply remove the wildcard character "*" from the line(s). Your cut'n'paste looks a little ...strange... Hence the reference to "line(s)" :),

OR

Uncomment or otherwise add a "realuser <username to have 'real user access'>" line.

If you go with the first suggestion, you'll allow all users to access all files (well, normal permissions apply), and if you go with the second, only the select few you explicitly allow will be able to access "the entire system".

I'd go with the second.

-- Glenn
0
 

Author Comment

by:edmundli
ID: 7139472
I had added the realuser line, restart the server, but it is the same


# This file controls the behavior of the wu-ftpd
# ftp server.
#
# If you're looking for a graphical frontend to
# editing it, try kwuftpd from the kdeadmin
# package.

# Don't allow system accounts to log in over ftp
deny-uid %-99 %65534-
deny-gid %-99 %65534-
allow-uid ftp
allow-gid ftp

# The ftpchroot group doesn't exist by default, this
# entry is just supplied as an example.
# To chroot a user, modify the line below or create
# the ftpchroot group and add the user to it.
#
# You will need to setup the required applications
# and libraries in the root directory (set using
# guest-root).
#
# Look at the anonftp package for the files you'll need.
guestgroup ftpchroot

realuser        root
# User classes...
class   all  root,real,guest,anonymous  *

# Set this to your email address
email root@localhost

# Allow 5 mistyped passwords
loginfails 5

# Notify the users of README files at login and when
# changing to a different directory
readme  README*    login
readme  README*    cwd=*

# Messages displayed to the user
message /welcome.msg            login
message .message                cwd=*

# Allow on-the-fly compression and tarring
compress        yes             all
tar             yes             all

# Prevent anonymous users (and partially guest users)
# from executing dangerous commands
chmod           no              guest,anonymous
delete          no              anonymous
overwrite       no              anonymous
rename          no              anonymous

# Turn on logging to /var/log/xferlog
log transfers anonymous,guest,real inbound,outbound

# If /etc/shutmsg exists, don't allow logins
# see ftpshut man page
shutdown /etc/shutmsg

# Ask users to use their email address as anonymous
# password
passwd-check rfc822 warn
0
 
LVL 20

Expert Comment

by:Gns
ID: 7153702
Hmmmm, try it with a regular user, not root.

Also, there are several directives that pertain to root... I'll have to think on what the ramifications would be.

-- Glenn
0
 

Author Comment

by:edmundli
ID: 7282033
any update by using root to establich ftp session ?
0
 
LVL 20

Expert Comment

by:Gns
ID: 7282279
The problem seems to be that you have a
deny-uid %-99 %65534-
deny-gid %-99 %65534-

which will deny user (and group) root (user id==0, group id ==0).
You could probably (I'm writing this at home, and my home LAN isn't working ATM... a NIC has ... toasted. I'll check tomorrow @work. Do remind me: I'm very busy (with Real Work) ATM, and could easily forget) just add similar "allow" lines as for ftp:
allow-uid root
allow-gid root

or just tag them on.

I'll try and remeber to come back with a more definitive answer tomorrow.

Did it work for a regular user?

-- Glenn
0
 
LVL 20

Accepted Solution

by:
Gns earned 100 total points
ID: 7283487
OK, now I've checked. in ftpaccess:
allow-uid root ftp
allow-gid root ftp

Depending on PAM (check the "auth" etries (lines) in /etc/pam.d/ftp) you might also have to comment out root in /etc/ftpusers (or similar)... Reviewed question, I see you already covered that.

Sermon warning! Proceed at your own risk: It's generally not a good idea to let "system accounts", and particularily root accounts, be unrestricted in regards to ftp. If you truly have to have root-enabled ftp, look into turning it into SSH instead. sftp is a very nice (secure) alternative.
But of course, if you have this system on a nonpublic, secured network, there shouldn't be a problem with insecure usages of ftp.

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
ID: 8613297
Um, you still out there edmundli?

-- Glenn
0
 

Expert Comment

by:CleanupPing
ID: 9086604
edmundli:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 20

Expert Comment

by:Gns
ID: 9087874
Here I'd say I'm both tenacious(sp?) and correct.

-- Glenn
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 9906239

No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

Accept GNS's answer

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

pjedmond
EE Cleanup Volunteer
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is the error message I got (CODE) Error caused by incompatible libmp3lame 3.98-2 with ffmpeg I've googled this error message and found out sometimes it attaches this note "can be treated with downgrade libmp3lame to version 3.97 or 3.98" …
rdate is a Linux command and the network time protocol for immediate date and time setup from another machine. The clocks are synchronized by entering rdate with the -s switch (command without switch just checks the time but does not set anything). …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question