Problems with anonymous login proftp 1.3.1: 530-Unable to set anonymous priviliges.

gentooox · 10-26-2007, 09:33 AM

I looked through similar threads in the forum but couldn't find any answers.

My proftpd.conf file (non-anonymous users should be chroot'ed to their home dirs, anonymous users to the home directory of the user 'ftp'):

Code:

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anonymous access.

ServerName                      "ProFTPD Default Installation"
ServerType                      standalone
DefaultServer                   on
RequireValidShell               off
Port                            21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask           022

SystemLog       /var/log/proftpd.log

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit the maximum number of processes per service
# (such as xinetd).
MaxInstances    30

# Set the user and group under which the server will run.
User            proftpd
Group           proftpd
# Added this line to chroot users in their home dirs
DefaultRoot     ~

# Normally, we want files to be overwriteable.
<Directory />
        AllowOverwrite          on
</Directory>

# A basic anonymous configuration, with no upload directories.
<Anonymous ~ftp>
        User                    ftp
        Group                   ftp

        # We want clients to be able to login with "anonymous" as well as "ftp".
        UserAlias               anonymous ftp

        # Limit the maximum number of anonymous logins.
        MaxClients              10

        # We want 'welcome.msg' displayed at login, and '.message' displayed
        # in each newly chdired directory.
        DisplayLogin            welcome.msg
        DisplayChdir            .message

        # Limit WRITE everywhere in the anonymous chroot.
        <Limit WRITE>
                DenyAll
        </Limit>
</Anonymous>

The home directory I created (following the guide found on these forums) is shown below, as it appears when running the "ls -l" command. As far as a linux newbie like me can tell it says that the user 'ftp' is the owner of the folder, and that it's associated with the usergroup called 'ftp':

Code:

root ~ # ls -l /home/
total 1
drwxr-x--- 2 ftp     ftp    48 Oct 26 15:26 ftp

I haven't entered any password for the user 'ftp' after creation. He's set up to not use any shell (/bin/false), have his home dir in /home/ftp and be part of the 'ftp' usergroup. The usergroup 'ftp' was created simply with "groupadd ftp".

When trying to log in using 'anonymous' (should be valid alias) I get the following:

Code:

Status:	Connection established, waiting for welcome message...
Response:	220 ProFTPD 1.3.1rc2 Server (ProFTPD Default Installation) [::ffff:192.168.1.101]
Command:	USER anonymous
Response:	331 Anonymous login ok, send your complete email address as your password
Command:	PASS **************
Response:	530-Unable to set anonymous privileges.
Response:	530 Login incorrect.

The 'ftp' user is not in my /etc/ftpusers list so it shouldn't get blocked because of that. The home dir exists. The daemon is running, otherwise I wouldn't be able to connect.
If anyone has a suggestion to what might be wrong I'd be grateful.
If anyone could explain to me what the ~ftp in the beginning <Anonymous ~ftp> does I'd be interested as well.

allein · 12-12-2007, 04:19 PM

I have the same problem. Anyone know anything about this?

cyprix · 04-17-2008, 11:47 PM

I solved this issue with the following setup - the Fake listings are req'd:

Code:

<Anonymous /var/ftp/pub>
  # Allow logins if they are disabled above.
  <Limit LOGIN>
    AllowAll
  </Limit>

  # Maximum clients with message
  MaxClients                    5 "Sorry, max %m users -- try again later"

  User ftp
  Group nogroup
  DirFakeUser on ftp
  DirFakeGroup on ftp
  RequireValidShell off

  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias                     anonymous ftp

  # Limit WRITE everywhere in the anonymous chroot
  <Limit WRITE>
    DenyAll
  </Limit>

  # An upload directory that allows storing files but not retrieving
  # or creating directories.
  <Directory uploads/*>
    <Limit READ>
      DenyAll
    </Limit>

    <Limit STOR>
      AllowAll
    </Limit>
  </Directory>
</Anonymous>

ptdsign · 05-03-2009, 02:46 PM

Hi!

I was pretty frustrated again when it took me days without getting it to work as well...people keep on saying it's a problem with permissions conflicts between the actual directories and the config file, but it just isn't. Of course as with all things, once you finally know them, it makes sense.

A good how-to I reckon is:
http://ubuntuforums.org/showthread.php?t=51611

I've solved the anonymous problem with the following setup (ftp_login might not have been a good name after all, but it works):

Since you wouldn't want the ftp user you create to have a valid login shell, it should be save to have the user without a password. So what I did was creating a user like this (o and I just assume you are superuser (sudo -s)):

Code:

useradd ftp_login -p your_password -d /home/ftp -s /bin/false

When done this the user will probably be locked since it has no password yet, and since we don't want a password, we can unlock it by:

Code:

passwd -u ftp_login

Now I made a directory called temp in the home directory of ftp_login:

Code:

cd /home
mkdir ftp_login/temp

Just to be sure the permissions of the folders are right:

Code:

chmod 755 ftp_login
chmod 777 ftp_login/temp

After that I scrabled some configuration files together as this /etc/proftpd/proftpd.conf

Code:

# This configuration establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anonymous access.

ServerName			"the ftp server"
ServerType			standalone
DefaultServer 			on
RequireValidShell 		off
AuthPAM 			off
AuthPAMConfig 			ftp
# Port 21 is the standard FTP port.
Port				21


# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 			022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit the maximum number of processes per service
# (such as xinetd).
MaxInstances		30

#Allow resume download / upload (?)
AllowStoreRestart	on

PersistentPasswd	off

# Set /home/FTP-shared directory as home directory
DefaultRoot /home/ftp_login

# Lock all the users in home directory, ***** really important *****
DefaultRoot ~

# Set the user and group under which the server will run.
User		nobody
Group 		nobody
DirFakeUser 	on nobody
DirFakeGroup	on nobody

# Valid logins
<Limit LOGIN>
	AllowUser ftp_login
	DenyALL
</Limit>

UserAlias anonymous ftp_login  

<Directory />
	AllowOverwrite	off
	<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
		DenyAll
	</Limit>
</Directory>

<Directory ~/>
	Umask 022 022
	AllowOverwrite off
</Directory>

<Directory ~/temp/>
	Umask 022 022
	AllowOverwrite off
	<Limit READ RMD DELE>
		DenyAll
	</Limit>

	<Limit STOR CWD MKD>
		AllowAll
	</Limit>
</Directory>

So how this actually works: an anonymous visitor connects to the ftp server, tries to log in as user anonymous, the server converts it to ftp_login because of the UserAlias line, and for this user is no password set so anonymous will be allowed without!

I liked the comment in the mentioned post on the syntax check to test the configuration file:

Code:

proftpd -td5

Hope it works for you!