LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-19-2007, 02:56 AM   #1
omlex
LQ Newbie
 
Registered: Jul 2003
Posts: 22

Rep: Reputation: 15
vsftpd shows my / directory files


I'm trying to setup a vsftp server. Anonymous is disabled and chrooted the user in their home directory. However when I ran ftp://<IP_Address> on my browser, I can see the list of files of my root diretory. How can I disable this?

Here's what I can seee

FTP root at 10.x.x.x
To view this FTP site in Windows Explorer, click Page, and then click Open FTP Site in Windows Explorer.
--------------------------------------------------------------------------------

02/02/2006 12:00AM Directory bin
02/01/2006 12:00AM Directory boot
12/24/2006 02:28AM Directory dev
01/18/2007 01:33AM Directory etc
01/18/2007 01:28AM Directory home
03/12/2004 12:00AM Directory initrd
02/02/2006 12:00AM Directory lib
05/19/2005 12:00AM Directory lost+found
04/14/2004 12:00AM Directory misc
05/19/2005 12:00AM Directory mnt
03/12/2004 12:00AM Directory opt
12/24/2006 10:28AM Directory proc
01/06/2007 03:19AM Directory root
02/02/2006 12:00AM Directory sbin
03/12/2004 12:00AM Directory selinux
12/24/2006 10:28AM Directory sys
01/17/2007 08:02PM Directory tmp
05/19/2005 12:00AM Directory usr
02/13/2006 12:00AM Directory var

I'm using IE7
 
Old 01-19-2007, 12:10 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
chrooted the user in their home directory. However when I ran ftp://<IP_Address> on my browser, I can see the list of files of my root diretory.
Then you haven't set up the chroot properly. Please first search LQ's fora / articles for similar threads because I *know* this one has been answered before and more than a few times. If you then can't figure it out posting your vsftpd config file would be a good start.
 
Old 01-19-2007, 03:35 PM   #3
Electro
Guru
 
Registered: Jan 2002
Posts: 6,042

Rep: Reputation: Disabled
vsftpd does not do that by default. I suggest reading the manual.
 
Old 01-21-2007, 08:28 PM   #4
omlex
LQ Newbie
 
Registered: Jul 2003
Posts: 22

Original Poster
Rep: Reputation: 15
here's my vsftpd.conf

Just like what I said, I'm using IE 7. This is not the case for IE 6. Also, this is a Fedora Core 2.

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
pam_service_name=vsftpd
userlist_enable=NO
userlist_file=/etc/vsftpd.user_list
#enable for standalone mode
listen=YES
tcp_wrappers=YES
chroot_local_user=YES
 
Old 01-21-2007, 09:00 PM   #5
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Did it require you to login? Do any of your users have "/" for their home directory?
 
Old 01-22-2007, 03:11 AM   #6
omlex
LQ Newbie
 
Registered: Jul 2003
Posts: 22

Original Poster
Rep: Reputation: 15
No authentication at all. When I typed http://10.x.x.x/ I'll see my root directory
immediately.
 
Old 01-22-2007, 04:30 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Please first search LQ's fora / articles for similar threads because I *know* this one has been answered before and more than a few times. Besides that the Vsftpd docs really contain enough info and even example configs to make it work.

Last edited by unSpawn; 01-22-2007 at 04:33 AM.
 
Old 02-05-2007, 10:05 AM   #8
richardsantiago
LQ Newbie
 
Registered: Aug 2005
Location: Linux World
Distribution: Fedora. Slackware
Posts: 1

Rep: Reputation: 0
I am having the same problem. I use Firefox and it works perfect but when I use IE7 it shows all / folders and I can even browse them.

I searched on LQ and found nothing.

Is there a way to control vsftpd's behaviour by looking at the browser client?

Thanks.
 
Old 09-27-2007, 09:11 AM   #9
r081n
LQ Newbie
 
Registered: Sep 2007
Posts: 3

Rep: Reputation: 0
I'm also having the same problem. Using any client such as flashfxp, Command prompt ftp, ftp through Windows Explorer, or ftp through a browser such as firefox or internet explorer prior to version 7 all work fine. The user logs in and gets automatically put in the vsftpd home directory at /var/ftp from where they can go to pub or uploads.

But when a user logs in using internet explorer 7, they go to my root directory. Mind you the user can't actually go into any of these folders because of permission settings, but it's still very unsettling; plus the user has no way to navigate from there to the actual ftp directory. I've googled for this problem and found lots of people having the same problem, but no one has come up with a solution; just people replying with mindless suggestions.

I run fedora core 7 with vsftpd and anonymous users are not allowed.

If anyone can shine some light on this, I greatly appreciate it.

Cheers,
r081n
 
Old 09-28-2007, 01:48 AM   #10
Electro
Guru
 
Registered: Jan 2002
Posts: 6,042

Rep: Reputation: Disabled
I think PAM is the problem because it is has confusing configuration files and confusing manual that does not explain much. I suggest using SELinux for better security. Microsoft have started to not comply to IMAP protocol with Outlook Express and I think they are starting to do the same with FTP. Though some additional options besides PAM might also giving you problems.

If all else fails, compile vsftpd with the debug option and watch the logs. Use strace and gdb to find out what is going on.

I do not have any line for PAM option in my vsftpd config file. The following is my vsftpd.conf file.

Code:
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
idle_session_timeout=600
data_connection_timeout=120
nopriv_user=nobody
chroot_list_enable=YES
chroot_local_user=YES
chroot_list_file=/etc/vsftpd/chroot_list
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=###################
max_clients=50
max_per_ip=4
log_ftp_protocol=NO
anon_max_rate=30720
local_max_rate=40960
I have not yet tested it with Internet Explorer 7, but my setup is not for a production server. It is for personal home use that I rarely use. The option chroot_list_file is a directory.
 
Old 09-28-2007, 08:29 AM   #11
r081n
LQ Newbie
 
Registered: Sep 2007
Posts: 3

Rep: Reputation: 0
After doing some more googling I learned that for some reason, internet explorer 7 ignores the "home directory" setting for users. I wonder if there is a way for vsftpd to capture what ftp client is being used and act accordingly. For example, if the ftp client is internet explorer 7, then send an error message to the client telling them to use a different client. I'm also gonna try to deny all permissions for the ftp users group to my root directory.
 
Old 09-28-2007, 04:26 PM   #12
Electro
Guru
 
Registered: Jan 2002
Posts: 6,042

Rep: Reputation: Disabled
I tested my setup with Internet Explorer 7 on Microsoft Vista Home Premium and it works as expected. It lists the directories and files of the user home files, but can not access / or even ever seeing it. I had to do ftp://username@address. When I use ftp://address, it gave me a permission error, so it will never log in. I think the difference in my setup compared to your setup is the chroot options. I did not use the userlist option. I think placing the users that you gave permission to access your server should be placed in the directory that you specify chroot_list. The manual describes about the chroot feature, but it is confusing at first.

Even though it is not a PAM problem, I suggest get away from using PAM for vsftpd. I think PAM should not be included in any Linux distribution because SELinux is better and has more documentation.
 
Old 10-10-2007, 12:43 PM   #13
r081n
LQ Newbie
 
Registered: Sep 2007
Posts: 3

Rep: Reputation: 0
Thx for your help Electro. The chroot directives did the trick!

I created /etc/vsftpd/chroot_list and added my ftp users to it, then I added the following two lines to my vsftpd.conf file:
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list

And now when users log in using internet explorer 7 they will be placed in the ftp root folder.

NOTE: I did not include the chroot_local_user directive which by default is set to no.

I'm still some what confused why internet explorer 7 is behaving differently from other ftp clients though, including previous versions of internet exlorer...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't upload files to home directory with vsftpd Evil Otto Linux - Server 6 12-07-2010 01:05 PM
Directory got corrupted and now shows as File ppanyam Programming 2 04-19-2006 09:59 PM
Transferring 40000+ files with FTP (mget) shows 0 files tim1235 Linux - Software 5 10-17-2004 06:06 PM
VSFTPD 1 main directory chrisknight Linux - Software 0 11-02-2003 10:41 AM
vsftpd home directory Harpune Linux - Networking 2 03-16-2003 10:58 AM


All times are GMT -5. The time now is 04:20 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration