PROFTPD Urgent question

Posted on 2006-04-13
Last Modified: 2008-01-09
Hi Everyone,

Question: When i logged into ftp, i can not upload any files, create directories, rename or delete files/directories

Steps i followed:

1. I added a new ftp user account into /etc/passwrd:
myftpuser:x:501:502:Example FTP User:/virtualhosts:/sbin/nologin

2. Created /virtualhosts directory with root.root ownership

3. Created /virtualhosts/exampledir/ directory with myftpuser.ftpusers directory

4. I logged into FTP server with myftpuser account and successfully chrooted to /virtualhosts directory. I can see "exampledir" directory, but can not do anything.

Here is my /etc/proftd.conf file:

# This is the ProFTPD configuration file
# $Id: proftpd.conf,v 1.1 2004/02/26 17:54:30 thias Exp $

ServerName                      "Octeth Intranet Server"
ServerIdent                     on "FTP Server ready."
ServerAdmin                     postmaster@octeth.oct
ServerType                      standalone
#ServerType                     inetd
DefaultServer                   on
AccessGrantMsg                  "User %u logged in."
#DisplayConnect                 /etc/ftpissue
#DisplayLogin                   /etc/ftpmotd
#DisplayGoAway                  /etc/ftpgoaway
DeferWelcome                    off

#Time out parameters
TimeoutIdle                     600
TimeoutNoTransfer               600
TimeoutLogin                    300

# Use this to excude users from the chroot
# Below line restricts logged in user to his home directory excpet adm user group
# DefaultRoot                   ~ !adm
DefaultRoot                     /virtualhosts ftpusers,!root

# Use pam to authenticate (default) and be authoritative
AuthPAMConfig                   proftpd
AuthOrder                       mod_auth_pam.c* mod_auth_unix.c

# Do not perform ident nor DNS lookups (hangs when the port is filtered)
IdentLookups                    off
UseReverseDNS                   off

# Port 21 is the standard FTP port.
Port                            21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# Default to show dot files in directory listings
ListOptions                     "-a"

# Normally, we want files to be overwriteable.
<Directory ~/*>
  AllowOverwrite                on

# See Configuration.html for these (here are the default values)
#MultilineRFC2228               off
#RootLogin                      off
#LoginPasswordPrompt            on
#MaxLoginAttempts               3
#MaxClientsPerHost              none
#AllowForeignAddress            off     # For FXP

# Allow to resume not only the downloads but the uploads too
AllowRetrieveRestart            on
AllowStoreRestart               on

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances                    20

# Set the user and group that the server normally runs at.
User                            root
Group                           root

# This is where we want to put the pid file
ScoreboardFile                  /var/run/proftpd.score

# Define the log formats
LogFormat                       default "%h %l %u %t \"%r\" %s %b"
LogFormat                       auth    "%v [%P] %h %t \"%r\" %s"

# Explained at
#TLSEngine                      on
#TLSRequired                    on
#TLSRSACertificateFile          /usr/share/ssl/certs/proftpd.pem
#TLSRSACertificateKeyFile       /usr/share/ssl/certs/proftpd.pem
#TLSCipherSuite                 ALL:!ADH:!DES
#TLSOptions                     NoCertRequest
#TLSVerifyClient                off
##TLSRenegotiate                ctrl 3600 data 512000 required off timeout 300
#TLSLog                         /var/log/proftpd/tls.log
Question by:blacklord
    LVL 14

    Expert Comment


    Change these 2 lines:

    # Set the user and group that the server normally runs at.
    User                            root
    Group                           root

    into these:

    # Set the user and group that the server normally runs at.
    User                            myftpuser
    Group                           ftpusers


    Author Comment


    Thanks for the answer but it does not worked. I changed those lines to;

    User                            root
    Group                           ftpusers

    There are several FTP users i want to setup and each one of them will have right on their own directory under /virtualhosts.

    I will can not do anything under virtualhosts directory.

    For example, when i try to create a folder under "exampledir" directory (ownership: myftpuser.ftpusers), the following error is generated:

    MKD testdir
    550 1: Permission denied
    Requested action not taken (e.g., file or directory not found, no access).

    Do you have any other idea?
    LVL 14

    Expert Comment


    Try this:

    DefaultRoot                     ~,!root


    Author Comment


    I didn't understand the relation of DefaultRoot with file read/write permission. As i know, DefaultRoot defines the landing directory for users. In my setting it is set to:

    DefaultRoot                     /virtualhosts ftpusers,!root

    Which means, jail all ftpusers group members to /virtualhosts directory except root user.

    Am i wrong?

    My question is why i can not read/write any file or dir when i logged into FTP?

    Author Comment


    I tried your suggestion and it still does not work :(
    LVL 14

    Expert Comment


    Hmm... maybe your user is root and in your DefaultRoot, you have !root.

    LVL 14

    Expert Comment


    And make sure the /virtualhosts/exampledir/ directory at least has permission of drwxr-x---.


    Author Comment

    In etc/passwd,

    myftpuser:x:501:502:Example FTP User:/virtualhosts:/sbin/nologin

    user ID is 501
    Group ID is 502 which is "ftpusers"

    "maybe your user is root", what do you mean with this? Which user you are talking about? User that is defined in proftpd.conf?

    Author Comment

    Permissions are correct as you mentioned
    LVL 14

    Expert Comment


    Since you set the shell to /sbin/nologin, try this:

    RequireValidShell               no


    Author Comment

    nope, this does not work either. I still can not create a directory or file.
    LVL 14

    Expert Comment


    Sorry I gave up.

    Your config is similar to mine, I dunno why you cannot.


    Author Comment

    Thanks for your efforts.

    Does anyone else know the reason?

    Hint: If i change home directory of user to /home/myftpuser, then i can write/delete files and folders under /home/myftpuser/Desktop directory.

    Please help!
    LVL 14

    Expert Comment


    Does your /virtualhosts directory has permission drwxr-xr-x ?


    Author Comment

    yes it has
    LVL 16

    Expert Comment


    Blacklord I just want to ask a fewquestions first:

    1) what distro are you using?
    2) Do you have SELinux enable e.g. check by issuing the following: sestatus as root.

    Author Comment


    I am using Fedora Core 4

    when i typed sestatus as root, the following is displayed:

    SELinux status:                 enabled
    SELinuxfs mount:                /selinux
    Current mode:                   enforcing
    Mode from config file:          enforcing
    Policy version:                 19
    Policy from config file:        targeted

    Policy booleans:
    NetworkManager_disable_trans    inactive
    allow_execmem                   active
    allow_execmod                   active
    allow_execstack                 active
    allow_kerberos                  active
    allow_write_xshm                inactive
    allow_ypbind                    inactive
    apmd_disable_trans              inactive
    arpwatch_disable_trans          inactive
    auditd_disable_trans            inactive
    bluetooth_disable_trans         inactive
    canna_disable_trans             inactive
    cardmgr_disable_trans           inactive
    comsat_disable_trans            inactive
    cupsd_config_disable_trans      inactive
    cupsd_disable_trans             inactive
    cvs_disable_trans               inactive
    cyrus_disable_trans             inactive
    dbskkd_disable_trans            inactive
    dhcpc_disable_trans             inactive
    dhcpd_disable_trans             inactive
    dovecot_disable_trans           inactive
    fingerd_disable_trans           inactive
    ftp_home_dir                    active
    ftpd_disable_trans              inactive
    ftpd_is_daemon                  active
    hald_disable_trans              inactive
    hotplug_disable_trans           inactive
    howl_disable_trans              inactive
    httpd_builtin_scripting         active
    httpd_can_network_connect       inactive
    httpd_disable_trans             inactive
    httpd_enable_cgi                active
    httpd_enable_homedirs           active
    httpd_ssi_exec                  active
    httpd_suexec_disable_trans      inactive
    httpd_tty_comm                  inactive
    httpd_unified                   active
    i18n_input_disable_trans        inactive
    inetd_child_disable_trans       inactive
    inetd_disable_trans             inactive
    innd_disable_trans              inactive
    kadmind_disable_trans           inactive
    klogd_disable_trans             inactive
    krb5kdc_disable_trans           inactive
    ktalkd_disable_trans            inactive
    lpd_disable_trans               inactive
    mysqld_disable_trans            inactive
    named_disable_trans             inactive
    named_write_master_zones        inactive
    nfs_export_all_ro               active
    nfs_export_all_rw               active
    nmbd_disable_trans              inactive
    nscd_disable_trans              inactive
    ntpd_disable_trans              inactive
    portmap_disable_trans           inactive
    postgresql_disable_trans        inactive
    pppd_disable_trans              inactive
    pppd_for_user                   inactive
    privoxy_disable_trans           inactive
    ptal_disable_trans              inactive
    radiusd_disable_trans           inactive
    radvd_disable_trans             inactive
    read_default_t                  active
    rlogind_disable_trans           inactive
    rsync_disable_trans             inactive
    samba_enable_home_dirs          inactive
    saslauthd_disable_trans         inactive
    slapd_disable_trans             inactive
    smbd_disable_trans              inactive
    snmpd_disable_trans             inactive
    squid_connect_any               inactive
    squid_disable_trans             inactive
    stunnel_disable_trans           inactive
    stunnel_is_daemon               inactive
    syslogd_disable_trans           inactive
    system_dbusd_disable_trans      inactive
    telnetd_disable_trans           inactive
    tftpd_disable_trans             inactive
    udev_disable_trans              inactive
    use_nfs_home_dirs               inactive
    use_samba_home_dirs             inactive
    uucpd_disable_trans             inactive
    winbind_disable_trans           inactive
    ypbind_disable_trans            inactive
    ypserv_disable_trans            inactive
    zebra_disable_trans             inactive
    LVL 16

    Accepted Solution


    Problem solved, you have SELinux protecting your machine:

    ftp_home_dir                    active
    ftpd_disable_trans              inactive
    ftpd_is_daemon                  active

    run the following command as root:


    Go into the SELinux tab and click Modify SELinux policy select the FTP policy then
    click disable, and FTP will work :)

    Author Comment

    Thanks! It works!

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
    Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
    Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
    Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now