Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

PROFTPD Urgent question

Posted on 2006-04-13
19
Medium Priority
?
521 Views
Last Modified: 2008-01-09
Hi Everyone,

Question: When i logged into ftp, i can not upload any files, create directories, rename or delete files/directories

Steps i followed:

1. I added a new ftp user account into /etc/passwrd:
myftpuser:x:501:502:Example FTP User:/virtualhosts:/sbin/nologin

2. Created /virtualhosts directory with root.root ownership

3. Created /virtualhosts/exampledir/ directory with myftpuser.ftpusers directory

4. I logged into FTP server with myftpuser account and successfully chrooted to /virtualhosts directory. I can see "exampledir" directory, but can not do anything.

Here is my /etc/proftd.conf file:

# This is the ProFTPD configuration file
# $Id: proftpd.conf,v 1.1 2004/02/26 17:54:30 thias Exp $

ServerName                      "Octeth Intranet Server"
ServerIdent                     on "FTP Server ready."
ServerAdmin                     postmaster@octeth.oct
ServerType                      standalone
#ServerType                     inetd
DefaultServer                   on
AccessGrantMsg                  "User %u logged in."
#DisplayConnect                 /etc/ftpissue
#DisplayLogin                   /etc/ftpmotd
#DisplayGoAway                  /etc/ftpgoaway
DeferWelcome                    off

#Time out parameters
TimeoutIdle                     600
TimeoutNoTransfer               600
TimeoutLogin                    300

# Use this to excude users from the chroot
# Below line restricts logged in user to his home directory excpet adm user group
# DefaultRoot                   ~ !adm
DefaultRoot                     /virtualhosts ftpusers,!root

# Use pam to authenticate (default) and be authoritative
AuthPAMConfig                   proftpd
AuthOrder                       mod_auth_pam.c* mod_auth_unix.c

# Do not perform ident nor DNS lookups (hangs when the port is filtered)
IdentLookups                    off
UseReverseDNS                   off

# Port 21 is the standard FTP port.
Port                            21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# Default to show dot files in directory listings
ListOptions                     "-a"

# Normally, we want files to be overwriteable.
<Directory ~/*>
  AllowOverwrite                on
  AllowAll
</Directory>

# See Configuration.html for these (here are the default values)
#MultilineRFC2228               off
#RootLogin                      off
#LoginPasswordPrompt            on
#MaxLoginAttempts               3
#MaxClientsPerHost              none
#AllowForeignAddress            off     # For FXP

# Allow to resume not only the downloads but the uploads too
AllowRetrieveRestart            on
AllowStoreRestart               on

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances                    20

# Set the user and group that the server normally runs at.
User                            root
Group                           root

# This is where we want to put the pid file
ScoreboardFile                  /var/run/proftpd.score

# Define the log formats
LogFormat                       default "%h %l %u %t \"%r\" %s %b"
LogFormat                       auth    "%v [%P] %h %t \"%r\" %s"

# TLS
# Explained at http://www.castaglia.org/proftpd/modules/mod_tls.html
#TLSEngine                      on
#TLSRequired                    on
#TLSRSACertificateFile          /usr/share/ssl/certs/proftpd.pem
#TLSRSACertificateKeyFile       /usr/share/ssl/certs/proftpd.pem
#TLSCipherSuite                 ALL:!ADH:!DES
#TLSOptions                     NoCertRequest
#TLSVerifyClient                off
##TLSRenegotiate                ctrl 3600 data 512000 required off timeout 300
#TLSLog                         /var/log/proftpd/tls.log
0
Comment
Question by:blacklord
  • 10
  • 7
  • 2
19 Comments
 
LVL 14

Expert Comment

by:ppfoong
ID: 16444587

Change these 2 lines:

# Set the user and group that the server normally runs at.
User                            root
Group                           root


into these:

# Set the user and group that the server normally runs at.
User                            myftpuser
Group                           ftpusers



0
 

Author Comment

by:blacklord
ID: 16444632
Hi,

Thanks for the answer but it does not worked. I changed those lines to;

User                            root
Group                           ftpusers

There are several FTP users i want to setup and each one of them will have right on their own directory under /virtualhosts.

I will can not do anything under virtualhosts directory.

For example, when i try to create a folder under "exampledir" directory (ownership: myftpuser.ftpusers), the following error is generated:

MKD testdir
550 1: Permission denied
Requested action not taken (e.g., file or directory not found, no access).


Do you have any other idea?
0
 
LVL 14

Expert Comment

by:ppfoong
ID: 16444676

Try this:

DefaultRoot                     ~,!root

0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 

Author Comment

by:blacklord
ID: 16444776
ppfoong,

I didn't understand the relation of DefaultRoot with file read/write permission. As i know, DefaultRoot defines the landing directory for users. In my setting it is set to:

DefaultRoot                     /virtualhosts ftpusers,!root

Which means, jail all ftpusers group members to /virtualhosts directory except root user.

Am i wrong?

My question is why i can not read/write any file or dir when i logged into FTP?
0
 

Author Comment

by:blacklord
ID: 16444807
ppfoong,

I tried your suggestion and it still does not work :(
0
 
LVL 14

Expert Comment

by:ppfoong
ID: 16444880

Hmm... maybe your user is root and in your DefaultRoot, you have !root.

0
 
LVL 14

Expert Comment

by:ppfoong
ID: 16444931

And make sure the /virtualhosts/exampledir/ directory at least has permission of drwxr-x---.

0
 

Author Comment

by:blacklord
ID: 16444942
In etc/passwd,

myftpuser:x:501:502:Example FTP User:/virtualhosts:/sbin/nologin

user ID is 501
Group ID is 502 which is "ftpusers"

"maybe your user is root", what do you mean with this? Which user you are talking about? User that is defined in proftpd.conf?
0
 

Author Comment

by:blacklord
ID: 16444947
Permissions are correct as you mentioned
0
 
LVL 14

Expert Comment

by:ppfoong
ID: 16444975

Since you set the shell to /sbin/nologin, try this:


RequireValidShell               no

0
 

Author Comment

by:blacklord
ID: 16445016
nope, this does not work either. I still can not create a directory or file.
0
 
LVL 14

Expert Comment

by:ppfoong
ID: 16445116

Sorry I gave up.

Your config is similar to mine, I dunno why you cannot.

0
 

Author Comment

by:blacklord
ID: 16445243
Thanks for your efforts.

Does anyone else know the reason?

Hint: If i change home directory of user to /home/myftpuser, then i can write/delete files and folders under /home/myftpuser/Desktop directory.

Please help!
0
 
LVL 14

Expert Comment

by:ppfoong
ID: 16445304

Does your /virtualhosts directory has permission drwxr-xr-x ?

0
 

Author Comment

by:blacklord
ID: 16445335
yes it has
0
 
LVL 16

Expert Comment

by:xDamox
ID: 16445520
Hi,

Blacklord I just want to ask a fewquestions first:

1) what distro are you using?
2) Do you have SELinux enable e.g. check by issuing the following: sestatus as root.
0
 

Author Comment

by:blacklord
ID: 16445569
Hi,

I am using Fedora Core 4

when i typed sestatus as root, the following is displayed:

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 19
Policy from config file:        targeted

Policy booleans:
NetworkManager_disable_trans    inactive
allow_execmem                   active
allow_execmod                   active
allow_execstack                 active
allow_kerberos                  active
allow_write_xshm                inactive
allow_ypbind                    inactive
apmd_disable_trans              inactive
arpwatch_disable_trans          inactive
auditd_disable_trans            inactive
bluetooth_disable_trans         inactive
canna_disable_trans             inactive
cardmgr_disable_trans           inactive
comsat_disable_trans            inactive
cupsd_config_disable_trans      inactive
cupsd_disable_trans             inactive
cvs_disable_trans               inactive
cyrus_disable_trans             inactive
dbskkd_disable_trans            inactive
dhcpc_disable_trans             inactive
dhcpd_disable_trans             inactive
dovecot_disable_trans           inactive
fingerd_disable_trans           inactive
ftp_home_dir                    active
ftpd_disable_trans              inactive
ftpd_is_daemon                  active
hald_disable_trans              inactive
hotplug_disable_trans           inactive
howl_disable_trans              inactive
httpd_builtin_scripting         active
httpd_can_network_connect       inactive
httpd_disable_trans             inactive
httpd_enable_cgi                active
httpd_enable_homedirs           active
httpd_ssi_exec                  active
httpd_suexec_disable_trans      inactive
httpd_tty_comm                  inactive
httpd_unified                   active
i18n_input_disable_trans        inactive
inetd_child_disable_trans       inactive
inetd_disable_trans             inactive
innd_disable_trans              inactive
kadmind_disable_trans           inactive
klogd_disable_trans             inactive
krb5kdc_disable_trans           inactive
ktalkd_disable_trans            inactive
lpd_disable_trans               inactive
mysqld_disable_trans            inactive
named_disable_trans             inactive
named_write_master_zones        inactive
nfs_export_all_ro               active
nfs_export_all_rw               active
nmbd_disable_trans              inactive
nscd_disable_trans              inactive
ntpd_disable_trans              inactive
portmap_disable_trans           inactive
postgresql_disable_trans        inactive
pppd_disable_trans              inactive
pppd_for_user                   inactive
privoxy_disable_trans           inactive
ptal_disable_trans              inactive
radiusd_disable_trans           inactive
radvd_disable_trans             inactive
read_default_t                  active
rlogind_disable_trans           inactive
rsync_disable_trans             inactive
samba_enable_home_dirs          inactive
saslauthd_disable_trans         inactive
slapd_disable_trans             inactive
smbd_disable_trans              inactive
snmpd_disable_trans             inactive
squid_connect_any               inactive
squid_disable_trans             inactive
stunnel_disable_trans           inactive
stunnel_is_daemon               inactive
syslogd_disable_trans           inactive
system_dbusd_disable_trans      inactive
telnetd_disable_trans           inactive
tftpd_disable_trans             inactive
udev_disable_trans              inactive
use_nfs_home_dirs               inactive
use_samba_home_dirs             inactive
uucpd_disable_trans             inactive
winbind_disable_trans           inactive
ypbind_disable_trans            inactive
ypserv_disable_trans            inactive
zebra_disable_trans             inactive
0
 
LVL 16

Accepted Solution

by:
xDamox earned 1000 total points
ID: 16445999
Hi,

Problem solved, you have SELinux protecting your machine:

ftp_home_dir                    active
ftpd_disable_trans              inactive
ftpd_is_daemon                  active

run the following command as root:

system-config-securitylevel

Go into the SELinux tab and click Modify SELinux policy select the FTP policy then
click disable, and FTP will work :)
0
 

Author Comment

by:blacklord
ID: 16446097
Thanks! It works!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension . This reminded me of questions that come up here at EE along the lines of, "How can I tell the type of file from its cont…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses
Course of the Month15 days, 21 hours left to enroll

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question