[SOLVED] VSFTPD: "cannot change directory"

nodiscc · 08-25-2010, 06:50 AM

Hello all,

i'm trying to setup a vsftpd server, SSL-enabled, based on local users with no shell access (/bin/false). I added /bin/false to /etc/shells so users can log in. I had a "GnuTLS error -8" at user login caused by the server sending a cleartext error message in SSL mode, so I disabled SSL and the error message came up at login:

USER privateftp
PASS ***************
500 OOPS: cannot change directory:/home/ftp/privateftp/

ACL are enabled and user privateftp has r-x rights on the directory. Changing user's shell has no effect. Changing directory POSIX owner has no effect.

What's wrong?

my /etc/vsftpd.conf:

Code:

#VSFTPD CONFIG FILE (sites.google.com/nodiscc) (vsftpd.beasts.org)

#BOOLEAN OPTIONS
allow_anon_ssl=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
anon_upload_enable=NO
anon_world_readable_only=YES
anonymous_enable=YES
ascii_download_enable=NO
ascii_upload_enable=NO
async_abor_enable=NO
background=YES
check_shell=NO
chmod_enable=YES
chown_uploads=YES
chroot_list_enable=NO
chroot_local_user=YES
connect_from_port_20=YES
debug_ssl=NO
delete_failed_uploads=YES
deny_email_enable=NO
dirlist_enable=YES
dirmessage_enable=NO
download_enable=YES
dual_log_enable=NO
force_dot_files=NO
force_anon_data_ssl=NO
force_anon_logins_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
guest_enable=NO
hide_ids=YES
implicit_ssl=NO
listen=YES
listen_ipv6=NO
local_enable=YES
lock_upload_files=YES
log_ftp_protocol=YES
ls_recurse_enable=NO
mdtm_write=YES
no_anon_password=YES
no_log_lock=NO
one_process_model=NO
passwd_chroot_enable=YES
pasv_addr_resolve=NO
pasv_enable=YES
pasv_promiscuous=NO
port_enable=YES
port_promiscuous=NO
require_cert=NO
run_as_launching_user=NO
secure_email_list_enable=NO
session_support=NO
setproctitle_enable=NO
ssl_enable=YES
ssl_request_cert=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=YES

#THESE OPTIONS ARE OFF BECAUSE OF BROKEN CLIENTS
strict_ssl_read_eof=NO
strict_ssl_write_shutdown=NO

syslog_enable=NO
tcp_wrappers=NO
text_userdb_names=NO
tilde_user_enable=NO
use_localtime=YES
userlist_deny=NO
userlist_enable=YES
validate_cert=NO
virtual_use_local_privs=NO
write_enable=YES
xferlog_enable=YES
xferlog_std_format=NO


#NUMERIC OPTIONS
accept_timeout=60
anon_max_rate=0
anon_umask=077
chown_upload_mode=0600
connect_timeout=60
data_connection_timeout=300
delay_failed_login=3
delay_successful_login=0
file_open_mode=0755
ftp_data_port=20
idle_session_timeout=300
listen_port=21
local_max_rate=0
local_umask=0777
max_clients=10
max_login_fails=3
max_per_ip=3
pasv_max_port=0
pasv_min_port=0
trans_chunk_size=0


#STRING OTIONS
anon_root=/home/ftp/anonftp/
#banned_email_file
#banner_file
#ca_certs_file
#chown_username
#chroot_list_file

#OPTIONS TO SET IN EACH USER CONFIG FILE !!
#cmds_allowed
#cmds_denied
#deny_file
#hide_file

#dsa_cert_file
#dsa_private_key_file
#email_password_file
ftp_username=anonftp
ftpd_banner=RADON-GNU/LINUX FTP SERVAR: WELCOME
#guest_username
#listen_address=192.168.1.71
#listen_address6
#local_root
#message_file
nopriv_user=noprivftp
pam_service_name=vsftpd
#pasv_address=192.168.1.71
rsa_cert_file=/usr/share/ssl/certs/vsftpd.pem
rsa_private_key_file=/usr/share/ssl/certs/vsftpd.pem
secure_chroot_dir=/var/run/vsftpd/empty
ssl_ciphers=AES256-SHA
user_config_dir=/etc/vsftpd/userconf/
#user_sub_token
userlist_file=/etc/vsftpd/userlist
vsftpd_log_file=/var/log/vsftpd.log
#xferlog_file

my /etc/vsftpd/userconf/privateftp:

Code:

#FILE /etc/vsftpd/userconf/privateftp
#USER PRIVATEFTP:
#(PRIVATE FTP USER, SHARES ARE PASSWORD-PROTECTED)
#(GROUP: PRIVATEFTP)
#(HOMEDIR: /home/ftp/privateftp/)

#ALLOWED/DENIED COMMANDS
cmds_allowed=ACCT,CDUP,CWD,EPRT,EPSV,FEAT,LIST,NOOP,OPTS,AUTH,ADAT,PASS,PASV,PORT,PWD,QUIT,REIN,REST,SIZE,AUTH,PBSZ,ADAT,PROT,CCC,CONF,ENC,MICSTAT,TYPE,USER,XCUP,XCWD,XPWD,MGET,LPSV,LPRT,GET,CLNT,RETR,NLST 
cmds_denied=ABOR,ALLO,APPE,DELE,MDTM,MKD,MODE,HELP,RMD,RNFR,RNTO,SITE,SMNT,STOR,STOU,STRU,SYST,XMKD,XRMD,MPUT,PUT

#SPEED LIMIT (BYTES/S)
local_max_rate=0

#PERSO MESSAGE
ftpd_banner=RADON SERVER 0.x; help yourself.

#DENIED/HIDDEN FILES:
deny_file=*cy
hide_file=*cy

i'm running Debian lenny. No SELinux. SSL is temporarily disabled to solve this issue. Pleaze hellppp..... Thanks in advance.

bathory · 08-25-2010, 07:58 AM

Hi,

You must make sure that /home/ftp/privateftp has the execute bit on:

Code:

chmod +x /home/ftp/privateftp

Regards

nodiscc · 08-25-2010, 08:17 AM

hello bathory,

i tried this, execute bit is already on...

Code:

# ls -l
drwxrwxr-x+ 4 root    root    4096 22 august  23:09 privateftp

any idea?

bathory · 08-25-2010, 08:27 AM

Yes, check also the 2 directories above that:

Code:

ls -ld /home
ls -ld /home/ftp

Note also that the user's homedir is owned by root:root, so the user will not be able to upload files in it

nodiscc · 08-25-2010, 09:22 AM

hehehehehehehh great thanks

i did a

Code:

# setfacl -m u:privateftp:x /home/ftp/

(not exactly, because i did it with eiciel gui)

and it now works.. thanks again bathory you have great guru powers

# logout