vsftp & user permissions


Something strange is happening on my system.

When I ftp into my server as a user, it chroots me to the home folder of the user, show me the contents etc, allows me to upload, but allows no write. ONly some of the system users are exhibiting this behaviour, while others work as they used to.

I have tried deleting the users that gives me this problem, but the problenm persists as soon as I add the user again.
Even new users does the same, ie, i can FTP in, but cannot upload or delete files already in folder.

NOTE: All the file permissions are checked. I have done a chmod -R 777 * on the files in the folder to make sure that it is not simply a matter of incorrect permission or ownership. Also, I can log into the system with the same username/password and all seems fine, ie, I can create and delete files in the home folder with no problems, it's just when I ftp...

Does anyone have ideas?
 At this stage it's not that bad, as the other users can still FTP etc, but if this is like a virus that will spread to toher users, I need to come up with solution fast.
LVL 17
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

vsftpd Configuration

vsftpd has three configuration files:
/etc/vsftpd.banned_emails -- List of denied anonymous addresses
/etc/vsftpd.chroot_list -- List of local users to chroot
/etc/vsftpd.conf -- General configuration options

To ban a certain anonymous email address such as "mozilla@", simply put it in this file. One address per line.  

To chroot a local user to their home directory, put their username in this file. One username per line. Please note this only matter is you:  

a) are allowing local users to login.  
b) have "chroot_local_user=NO" in /etc/vsftpd.conf  

The configuration options in the vsftpd.conf are commented quite good, so I will not go into much detail here. I will just note a few defaults:  

a) anonymous logins are enabled by default  
b) anonymous users are chrooted to '/home/ftpsecure'  
c) the daemon runs as the user 'ftpsecure'
psimationAuthor Commented:
I think you misunderstood me.

I already know all these things, and had everything working 100%. All my users were chrooted etc, but then I noticed that some of the users started to display funny behaviour, ie. you can log in with ftp, but cannot upload or delete ( i havn't changed anything on the system). Only some users do this. Again, I DON'T WANT THIS TO HAPPEN, ie, I'm not looking for an explanation on how to have certain users chrooted and others not, I want ALL my users chrooted, and that is how it was. Clearly I have a problem in that the system/vsftp is NOT doing what it is supposed to/configured to do...
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

May be it's not the problem on the vftp configuration problem, since as you said some user can have normal login and do normal thing, right. only some users have problem.

Have you setup quota for them? if yes, have you check the quota status, are those users use up the allowed disk space?
psimationAuthor Commented:
Nope, I've changed nothing at all to distinguish between users. All users are supposed to be handled the same...
I did notice in the passwd file that the one user that is affected, used to be the first "system user" , ie. ID 500, now, in the file, it is the last. It is as if the user was deleted and created again, but that doesn't make sense, firstly, I sure didn't do it, 2ndly, if the system was hacked, why would the cracker delete the user, just to add it again with the same password? I then noticed that the file permissions ( the old files that were in the folder already), belonged to user 500 ( wich was the correct id for the user), but the new user has ID 597 for instance, so when I chown again, it gives better results.
BUT, it still won't allow me to overwrite...
What is the ownership of the users home directory? Did you do a "global" find... something like
find / -uid 500 -print | xargs chown 597

-- Glenn
... and you know everything about intrusions already psimation, so I'll not insult you be repeating it:-).

-- Glenn
psimationAuthor Commented:
Hi guys, I re-installed so all is well now. Think it was definately due to some unscrupulous actions of a cracker rather than software/hardware failure.
I'd like to close this question. Methinks a delete is in order ( this question will be of no help as a PAQ); any objections?

No objection for delete but remember to get the points refund (I think you know it already) anyway :)
psimationAuthor Commented:
OK, thanks, just waiting to hear from Gns and shiva
No objections at all.
Out of curiosity.... Do you employ any IDS (networked and/or hostbased)?

-- Glenn
Me too, u can close this question.
glad things workout for u.
psimationAuthor Commented:
Thanks guys

Hi Gns: none except for tripwire, but I think I disabled that many moons ago because it gave me too much hassles. I found their point of entry: They used an exploit in ncftp, so I wiped it and put vsftpd on.
Ah yes... The joys of making the security system "shut up" about non-intrusions ... and finally just getting fed up enough that one disables it:-)... Been there, and expect to be there again.
Good that you've got it sorted.
Be seeing you.

-- Glenn
Um, psimation should have a delete with refund...:-)

-- Glenn
well recomment PAQ'd with refund, some useful info here anyway.
Mayby you're right Paul... Definitely a refund though.

-- Glenn
Karl Heinz KremerCommented:
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Please leave any comments here within the next four days.


EE Cleanup Volunteer
PAQed, with points refunded (125)

Community Support Cleanup Moderator

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.