?
Solved

How-to configure Proftpd

Posted on 2005-03-21
7
Medium Priority
?
644 Views
Last Modified: 2008-02-01
I'm trying to configure Proftpd to allow only specific users, specific access to specific folders. Here is what I need to do:

Folder structure:

/home/ftp/
/home/ftp/pub/
/home/ftp/pub/internal/
/home/ftp/pub/external/
/home/ftp/pub/incoming/
/home/ftp/pub/outgoing/

I need the user 'employee' to have read/write access to all folders within pub.
I need the user 'external' to have read/write access  to the external folder only and no access to the remaining folders.
I need the user 'customer' to have read-only access to the outgoing folder and write-only access to the incoming folder.

I would like to handle all of the security via directives within the proftpd.conf file rather than folder permissions.

Thank you in advance,
Adam


0
Comment
Question by:verbal11
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 14

Expert Comment

by:pablouruguay
ID: 13593789
here you have a .conf exmaple to do this
check at the end of thjis file the zone like VIRTUAL HOST



User                            root
Group                           root
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName                      "ProFTPD EXP Installation"
ServerType                      standalone
DefaultServer                   on

# Port 21 is the standard FTP port.
#Port                            27

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances                    3

# Set the user and group under which the server will run.

# Normally, we want files to be overwriteable.
<Directory /home/lacnicftp>
  AllowOverwrite                on
</Directory>
#
## A basic anonymous configuration, no upload directories.
#<Anonymous ~ftp>
#  User                         ftp
#  Group                                ftp
#
#  # We want clients to be able to login with "anonymous" as well as "ftp"
#  UserAlias                    anonymous ftp
#
#  # Limit the maximum number of anonymous logins
#  MaxClients                   10
#
#  # We want 'welcome.msg' displayed at login, and '.message' displayed
#  # in each newly chdired directory.
#  DisplayLogin                 welcome.msg
#  DisplayFirstChdir            .message
#
# Limit WRITE everywhere in the anonymous chroot
#  <Limit WRITE>
#    DenyAll
#  </Limit>

#</Anonymous>
#<VirtualHost lacnic.net.uy>
Port 21
ServerAdmin             pablo@lacnic.net
ServerName "LACNIC - Uruguay  "
TransferLog             /var/log/ftp.lacnic
MaxLoginAttempts        3
RequireValidShell       yes
DefaultRoot /home/lacnicftp/
User                    lacnicftp
Group                   lacnicftp
AllowOverwrite          yes
LoginPasswordPrompt     off "Wibble"
#</VirtualHost>
<Global>
#DefaultChdir /home/lacnicftp/
DefaultRoot ~
HiddenStor off
ShowSymlinks on
#ShowDotFiles off
</Global>

0
 
LVL 2

Author Comment

by:verbal11
ID: 13594966
This is what I have done but all users still have full access to all directories. I have set up all three of these users home directory as /home/ftp/:

<Directory ~/pub>
  <Limit READ>
    AllowAll
  </Limit>
  <Limit WRITE>
    DenyAll
  </Limit>
</Directory>

<Directory ~/pub/Incoming>
    <Limit READ>
      Order deny,allow
      DenyAll
      AllowUser !external
    </Limit>
    <Limit WRITE>
      Order deny,allow
      DenyAll
      AllowUser !external
    </Limit>
 </Directory>

<Directory ~/pub/Outgoing>
    <Limit READ>
      Order deny,allow
      DenyAll
      AllowUser !external
    </Limit>
    <Limit WRITE>
      Order deny,allow
      DenyAll
      AllowUser employee
    </Limit>
 </Directory>

<Directory ~/pub/External>
    <Limit READ>
      Order deny,allow
      DenyAll
      AllowUser !customer
    </Limit>
    <Limit WRITE>
      Order deny,allow
      DenyAll
      AllowUser !customer
    </Limit>
 </Directory>

<Directory ~/pub/Internal>
    <Limit READ>
      Order deny,allow
      DenyAll
      AllowUser employee
    </Limit>
    <Limit WRITE>
      Order deny,allow
      DenyAll
      AllowUser employee
    </Limit>
</Directory>
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 13599675
try to add this to <global>

DefaultChdir /hom/pub/ <---------- your public directory
0
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

 
LVL 14

Expert Comment

by:pablouruguay
ID: 13867068
no comments about this?
0
 
LVL 2

Author Comment

by:verbal11
ID: 15204120
sorry...I didn't realize I still had this question open. I solved this a while back. I believe what I had to do was explicitly define all permissions  on the sub-directories rather than use READ/WRITE. So my .conf file ended up looking like this:

<Directory /home/ftp>
  <Limit READ>
    AllowAll
  </Limit>
  <Limit WRITE>
    DenyAll
  </Limit>
</Directory>

<Directory /home/ftp/pub/Incoming>
    UserOwner ftp
    GroupOwner ftp
    <Limit ALL>
      DenyAll
    </Limit>
    <Limit CDUP CWD STOU STOR LIST NLIST>
      AllowUser update
    </Limit>
    <Limit READ WRITE DIRS>
      AllowUser cwuser
    </Limit>
 </Directory>

<Directory /home/ftp/pub/Outgoing>
    UserOwner ftp
    GroupOwner ftp
    <Limit All>
      DenyAll
    </Limit>
    <Limit READ DIRS>
      AllowUser update
    </Limit>
    <Limit READ WRITE DIRS>
      AllowUser cwuser
    </Limit>
 </Directory>

<Directory /home/ftp/pub/External>
    UserOwner ftp
    GroupOwner ftp
    <Limit ALL>
      DenyAll
    </Limit>
    <Limit READ DIRS MKD RNTO STOR STOU XMKD>
      AllowUser external
    </Limit>
    <Limit READ WRITE DIRS>
      AllowUser cwuser
    </Limit>
 </Directory>
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 15230626
Closed, 250 points refunded.

DarthMod
Community Support Moderator
0

Featured Post

7 Extremely Useful Linux Commands for Beginners

Just getting started with Linux? Here's a quick start guide that has 7 commands that we believe will come in handy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question