LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 12-11-2011, 10:43 PM   #1
bluethundr
Member
 
Registered: Jun 2003
Location: Summit, NJ
Distribution: CentOS 5.4
Posts: 122

Rep: Reputation: 15
Thumbs down limiting parent directory access in proftpd


Hello LinuxQ:

I have a proftpd conf that is working quite well with one exception. A logged in user can navigate all the way up the directory tree to root and add and remove files. Not good.

The directory I want to upload to/download from is /var/www/jf-current. It's parent (/var/www) and above should be off-limits.

It is using a mysql back end for user logins and domains and the good news is that only the virtual ftp user can log in.

I was hoping that by providing you with the configuration file and some info from the logs that I can solve this problem.

Code:
# This is the ProFTPD configuration file
#
# See: http://www.proftpd.org/docs/directives/linked/by-name.html

# Server Config - config used for anything outside a <VirtualHost> or <Global> context
# See: http://www.proftpd.org/docs/howto/Vhost.html

ServerName			"ProFTPD server"
ServerIdent			on "FTP Server ready."
ServerAdmin		        bluethundr@mysite.com	
DefaultServer			on
PassivePorts                    60000 65535
MasqueradeAddress               xx.xx.xx.xx              	

# Cause every FTP user except adm to be chrooted into their home directory
# Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to
# work at session-end time (http://bugzilla.redhat.com/477120)
VRootEngine			on
VRootAlias			etc/security/pam_env.conf /etc/security/pam_env.conf

  # Define the log formats
  LogFormat			default	"%h %l %u %t \"%r\" %s %b"
  LogFormat			auth	"%v [%P] %h %t \"%r\" %s"
	

# Use pam to authenticate (default) and be authoritative
#AuthPAMConfig			proftpd
#AuthOrder			mod_auth_pam.c* mod_auth_unix.c
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd
#PersistentPasswd		off

# Don't do reverse DNS lookups (hangs on DNS problems)
UseReverseDNS			off

# Set the user and group that the server runs as
User				nobody
Group				nobody

 # Dynamic Shared Object (DSO) loading
# See README.DSO and howto/DSO.html for more details
#
# General database support (http://www.proftpd.org/docs/contrib/mod_sql.html)
LoadModule mod_sql.c
#
# Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables
# (contrib/mod_sql_passwd.html)
#   LoadModule mod_sql_passwd.c
#
# Mysql support (requires proftpd-mysql package)
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
LoadModule mod_sql_mysql.c
#
# Postgresql support (requires proftpd-postgresql package)
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
#   LoadModule mod_sql_postgres.c
#
# Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html)
LoadModule mod_quotatab.c
#
# File-specific "driver" for storing quota table information in files
# (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html)
#   LoadModule mod_quotatab_file.c
#
# SQL database "driver" for storing quota table information in SQL tables
# (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html)
LoadModule mod_quotatab_sql.c

# To prevent DoS attacks, set the maximum number of child processes
# to 20.  If you need to allow more than 20 concurrent connections
# at once, simply increase this value.  Note that this ONLY worksuth
# in standalone mode; in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances			20

# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile			off



# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
<IfDefine TLS>
  TLSEngine			on
  TLSRequired			on
  TLSRSACertificateFile		/etc/pki/tls/certs/proftpd.pem
  TLSRSACertificateKeyFile	/etc/pki/tls/certs/proftpd.pem
  TLSCipherSuite		ALL:!ADH:!DES
  TLSOptions			NoCertRequest
  TLSVerifyClient		off
  #TLSRenegotiate		ctrl 3600 data 512000 required off timeout 300
  TLSLog			/var/log/proftpd/tls.log
  <IfModule mod_tls_shmcache.c>
    TLSSessionCache		shm:/file=/var/run/proftpd/sesscache
  </IfModule>
</IfDefine>

# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
<IfDefine DYNAMIC_BAN_LISTS>
  LoadModule			mod_ban.c
  BanEngine			on
  BanLog			/var/log/proftpd/ban.log
  BanTable			/var/run/proftpd/ban.tab

  # If the same client reaches the MaxLoginAttempts limit 2 times
  # within 10 minutes, automatically add a ban for that client that
  # will expire after one hour.
  BanOnEvent			MaxLoginAttempts 2/00:10:00 01:00:00

  # Allow the FTP admin to manually add/remove bans
  BanControlsACLs		all allow user ftpadm
</IfDefine>

# Global Config - config common to Server Config and all virtual hosts
# See: http://www.proftpd.org/docs/howto/Vhost.html
<Global>

  # Umask 022 is a good standard umask to prevent new dirs and files
  # from being group and world writable
  Umask				022
  

  # Allow users to overwrite files and change permissions
  AllowOverwrite		yes
  <Limit ALL SITE_CHMOD>
    AllowAll
  </Limit>
  

  
 # The passwords in MySQL are encrypted using CRYPT
 SQLAuthTypes            Plaintext Crypt
 SQLAuthenticate         users groups

 # used to connect to the database
 # databasename@host database_user user_password
 SQLConnectInfo  ftp@localhost proftpd secret

 # Here we tell ProFTPd the names of the database columns in the "usertable"
 # we want it to interact with. Match the names with those in the db
 SQLUserInfo     ftpuser userid passwd uid gid homedir shell

 # Here we tell ProFTPd the names of the database columns in the "grouptable"
 # we want it to interact with. Again the names match with those in the db
 SQLGroupInfo    ftpgroup groupname gid members

 # Here we tell ProFTPd the names of the database columns in the "grouptable"
 # we want it to interact with. Again the names match with those in the db
 SQLGroupInfo    ftpgroup groupname gid members

 # set min UID and GID - otherwise these are 999 each
 SQLMinID        500

 # Update count every time user logs in
 SQLLog PASS updatecount
 SQLNamedQuery updatecount UPDATE "count=count+1, accessed=now() WHERE userid='%u'" ftpuser

 # Update modified everytime user uploads or deletes a file
 SQLLog  STOR,DELE modified
 SQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuser

 # User quotas
 # ===========
 QuotaEngine on
 QuotaDirectoryTally on
 QuotaDisplayUnits Mb
 QuotaShowQuotas on

 SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}' AND quota_type = '%{1}'"

 SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ftpquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"

 SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" ftpquotatallies

 SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies
 
 SQLLogFile                      /home/bluethundr/sqllog.dbg

 QuotaLimitTable sql:/get-quota-limit
 QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally

 RootLogin off
 RequireValidShell off

</Global>

<VirtualHost xx.xx.xx.xx>
   DefaultRoot      /var/www/jf-current
  <Directory /var/www>
    Umask 022
    <Limit STOR READ WRITE CWD>
        DenyAll
    </Limit>
  </Directory>
  <Directory /var/www/jf-current>
    Umask 022
    <Limit ALL>
        AllowUser jfuser
    </Limit>
  </Directory>
</VirtualHost>

And here is some info from the debug logs when I upload to the parent directory (/var/www)

Code:
10.32.49.8 (xx.xx.xx.xx[xx.xx.xx.xx]) - in dir_check_full(): path = '/var/www', fullpath = '/var/www'.
10.32.49.8 (xx.xx.xx.xx[xx.xx.xx.xx]) - dispatching POST_CMD command 'MLSD' to mod_sql
10.32.49.8 (xx.xx.xx.xx[xx.xx.xx.xx]) - dispatching LOG_CMD command 'MLSD' to mod_sql
10.32.49.8 (xx.xx.xx.xx[xx.xx.xx.xx]) - dispatching LOG_CMD command 'MLSD' to mod_log
10.32.49.8 (xx.xx.xx.xx[xx.xx.xx.xx]) - dispatching LOG_CMD command 'MLSD' to mod_facts
Here is some info on the server that's running the proftpd server:
Code:
CentOS release 5.7 (Final)
[root@ec2-184-73-240-79 ~]# uname -a
Linux ec2-184-73-240-79.compute-1.amazonaws.com 2.6.21.7-2.fc8xen #1 SMP Fri Feb 15 12:34:28 EST 2008 x86_64 x86_64 x86_64 GNU/Linux
For the time being proftpd will only be turned on for testing purposes until this part can be worked out.

Thanks in advance
 
Old 12-12-2011, 03:45 AM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,898

Rep: Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322
Hi,

I'm not very familiar with the sql authentication module of proftpd, but I think that the "DefaultRoot" is useless here.
You need to use either the SQLDefaultHomedir directive, or assign a homedir for your users in the proftpd database
Quoting from SQLUserInfo:
Quote:
homedir

Specifies the field in the user table that holds the user's home directory. If the fieldname is specified as "NULL" the database will not be queried for this value and the user's home directory will be set to the value of SQLDefaultHomedir. If no home directory is set with either directive, user authentication will be automatically turned off.
Regards
 
Old 12-12-2011, 06:33 AM   #3
bluethundr
Member
 
Registered: Jun 2003
Location: Summit, NJ
Distribution: CentOS 5.4
Posts: 122

Original Poster
Rep: Reputation: 15
Smile

Quote:
Originally Posted by bathory View Post
Hi,

I'm not very familiar with the sql authentication module of proftpd, but I think that the "DefaultRoot" is useless here.
You need to use either the SQLDefaultHomedir directive, or assign a homedir for your users in the proftpd database
Quoting from SQLUserInfo:


Regards

Hello and thanks for your reply. Yes you are probably right in that the DefaultRoot has no point here, as the home directory is specified by the SQL:

Code:
mysql> select * from ftpuser;
+----+--------+--------+------+------+---------------------+---------------+-------+---------------------+---------------------+
| id | userid | passwd | uid  | gid  | homedir             | shell         | count | accessed            | modified            |
+----+--------+--------+------+------+---------------------+---------------+-------+---------------------+---------------------+
|  1 | myuser | secret | 2001 | 2001 | /var/www/jf-current | /sbin/nologin |   122 | 2011-12-11 22:05:09 | 2011-12-11 22:05:24 |
+----+--------+--------+------+------+---------------------+---------------+-------+---------------------+---------------------+
1 row in set (0.00 sec)
That said, I'm not certain what adding a SQLDefaultHomedir would buy me given that the homedir is set as in the above example.

Thankfully the logged in user can access his home directory as specified in the SQL. The issue is that once the ftp user logs in he can CD up the directory tree all the way to root and add or delete files.

But I will try removing the DefaultRoot directory as that part of it is handled by the SQL as you point out. Thank you for that!
 
Old 12-12-2011, 07:11 AM   #4
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,898

Rep: Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322
Quote:
The issue is that once the ftp user logs in he can CD up the directory tree all the way to root and add or delete files.
While it's possible for an ordinary user to get off the jail, it's not possible to write (add, delete files) in /. So you better have a closer look to the permissions of the directory tree.


Quote:
That said, I'm not certain what adding a SQLDefaultHomedir would buy me given that the homedir is set as in the above example.
At least you could try.


Quote:
But I will try removing the DefaultRoot directory as that part of it is handled by the SQL as you point out
If that doesn't work you may use the default "DefaultRoot ~" to see if it's read by the server and the user gets jailed into his homedir, no matter how it's defined.

Regards
 
Old 12-13-2011, 11:16 AM   #5
bluethundr
Member
 
Registered: Jun 2003
Location: Summit, NJ
Distribution: CentOS 5.4
Posts: 122

Original Poster
Rep: Reputation: 15
Post fixed!

Quote:
Originally Posted by bathory View Post
While it's possible for an ordinary user to get off the jail, it's not possible to write (add, delete files) in /. So you better have a closer look to the permissions of the directory tree.



At least you could try.



If that doesn't work you may use the default "DefaultRoot ~" to see if it's read by the server and the user gets jailed into his homedir, no matter how it's defined.

Regards

Hello Bathory, and thanks for your reply. I was able to solve this CD up problem I was having by taking your advice. Thanks for your help!
 
  


Reply

Tags
centos55, proftp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Limiting sshfs access to a specific directory, or tunneling nfs over ssh. Jophish Linux - Networking 5 01-24-2010 04:59 AM
pwd: error retrieving current directory: getcwd: cannot access parent directories: Pe bootkernel Linux - General 1 05-05-2008 05:45 AM
su shell-init: error retrieving current directory: getcwd: cannot access parent direc linuxgentoo Linux - General 4 11-07-2007 01:19 AM
Proftpd Limiting Directory Listings blither Linux - Networking 0 08-27-2007 06:04 PM
symlink-hook: error retrieving current directory: getcwd: cannot access parent dire sailu_mvn Linux - Software 1 03-09-2006 06:01 AM


All times are GMT -5. The time now is 04:12 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration