Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-19-2007, 03:56 AM
|
#1
|
LQ Newbie
Registered: Jul 2003
Posts: 22
Rep:
|
vsftpd shows my / directory files
I'm trying to setup a vsftp server. Anonymous is disabled and chrooted the user in their home directory. However when I ran ftp://<IP_Address> on my browser, I can see the list of files of my root diretory. How can I disable this?
Here's what I can seee
FTP root at 10.x.x.x
To view this FTP site in Windows Explorer, click Page, and then click Open FTP Site in Windows Explorer.
--------------------------------------------------------------------------------
02/02/2006 12:00AM Directory bin
02/01/2006 12:00AM Directory boot
12/24/2006 02:28AM Directory dev
01/18/2007 01:33AM Directory etc
01/18/2007 01:28AM Directory home
03/12/2004 12:00AM Directory initrd
02/02/2006 12:00AM Directory lib
05/19/2005 12:00AM Directory lost+found
04/14/2004 12:00AM Directory misc
05/19/2005 12:00AM Directory mnt
03/12/2004 12:00AM Directory opt
12/24/2006 10:28AM Directory proc
01/06/2007 03:19AM Directory root
02/02/2006 12:00AM Directory sbin
03/12/2004 12:00AM Directory selinux
12/24/2006 10:28AM Directory sys
01/17/2007 08:02PM Directory tmp
05/19/2005 12:00AM Directory usr
02/13/2006 12:00AM Directory var
I'm using IE7
|
|
|
01-19-2007, 01:10 PM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
chrooted the user in their home directory. However when I ran ftp://<IP_Address> on my browser, I can see the list of files of my root diretory.
Then you haven't set up the chroot properly. Please first search LQ's fora / articles for similar threads because I *know* this one has been answered before and more than a few times. If you then can't figure it out posting your vsftpd config file would be a good start.
|
|
|
01-19-2007, 04:35 PM
|
#3
|
LQ Guru
Registered: Jan 2002
Posts: 6,042
Rep:
|
vsftpd does not do that by default. I suggest reading the manual.
|
|
|
01-21-2007, 09:28 PM
|
#4
|
LQ Newbie
Registered: Jul 2003
Posts: 22
Original Poster
Rep:
|
here's my vsftpd.conf
Just like what I said, I'm using IE 7. This is not the case for IE 6. Also, this is a Fedora Core 2.
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
pam_service_name=vsftpd
userlist_enable=NO
userlist_file=/etc/vsftpd.user_list
#enable for standalone mode
listen=YES
tcp_wrappers=YES
chroot_local_user=YES
|
|
|
01-21-2007, 10:00 PM
|
#5
|
LQ Guru
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507
Rep:
|
Did it require you to login? Do any of your users have "/" for their home directory?
|
|
|
01-22-2007, 04:11 AM
|
#6
|
LQ Newbie
Registered: Jul 2003
Posts: 22
Original Poster
Rep:
|
No authentication at all. When I typed http://10.x.x.x/ I'll see my root directory
immediately.
|
|
|
01-22-2007, 05:30 AM
|
#7
|
Moderator
Registered: May 2001
Posts: 29,415
|
Please first search LQ's fora / articles for similar threads because I *know* this one has been answered before and more than a few times. Besides that the Vsftpd docs really contain enough info and even example configs to make it work.
Last edited by unSpawn; 01-22-2007 at 05:33 AM.
|
|
|
02-05-2007, 11:05 AM
|
#8
|
LQ Newbie
Registered: Aug 2005
Location: Linux World
Distribution: Fedora. Slackware
Posts: 1
Rep:
|
I am having the same problem. I use Firefox and it works perfect but when I use IE7 it shows all / folders and I can even browse them.
I searched on LQ and found nothing.
Is there a way to control vsftpd's behaviour by looking at the browser client?
Thanks.
|
|
|
09-27-2007, 10:11 AM
|
#9
|
LQ Newbie
Registered: Sep 2007
Posts: 3
Rep:
|
I'm also having the same problem. Using any client such as flashfxp, Command prompt ftp, ftp through Windows Explorer, or ftp through a browser such as firefox or internet explorer prior to version 7 all work fine. The user logs in and gets automatically put in the vsftpd home directory at /var/ftp from where they can go to pub or uploads.
But when a user logs in using internet explorer 7, they go to my root directory. Mind you the user can't actually go into any of these folders because of permission settings, but it's still very unsettling; plus the user has no way to navigate from there to the actual ftp directory. I've googled for this problem and found lots of people having the same problem, but no one has come up with a solution; just people replying with mindless suggestions.
I run fedora core 7 with vsftpd and anonymous users are not allowed.
If anyone can shine some light on this, I greatly appreciate it.
Cheers,
r081n
|
|
|
09-28-2007, 02:48 AM
|
#10
|
LQ Guru
Registered: Jan 2002
Posts: 6,042
Rep:
|
I think PAM is the problem because it is has confusing configuration files and confusing manual that does not explain much. I suggest using SELinux for better security. Microsoft have started to not comply to IMAP protocol with Outlook Express and I think they are starting to do the same with FTP. Though some additional options besides PAM might also giving you problems.
If all else fails, compile vsftpd with the debug option and watch the logs. Use strace and gdb to find out what is going on.
I do not have any line for PAM option in my vsftpd config file. The following is my vsftpd.conf file.
Code:
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
idle_session_timeout=600
data_connection_timeout=120
nopriv_user=nobody
chroot_list_enable=YES
chroot_local_user=YES
chroot_list_file=/etc/vsftpd/chroot_list
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=###################
max_clients=50
max_per_ip=4
log_ftp_protocol=NO
anon_max_rate=30720
local_max_rate=40960
I have not yet tested it with Internet Explorer 7, but my setup is not for a production server. It is for personal home use that I rarely use. The option chroot_list_file is a directory.
|
|
|
09-28-2007, 09:29 AM
|
#11
|
LQ Newbie
Registered: Sep 2007
Posts: 3
Rep:
|
After doing some more googling I learned that for some reason, internet explorer 7 ignores the "home directory" setting for users. I wonder if there is a way for vsftpd to capture what ftp client is being used and act accordingly. For example, if the ftp client is internet explorer 7, then send an error message to the client telling them to use a different client. I'm also gonna try to deny all permissions for the ftp users group to my root directory.
|
|
|
09-28-2007, 05:26 PM
|
#12
|
LQ Guru
Registered: Jan 2002
Posts: 6,042
Rep:
|
I tested my setup with Internet Explorer 7 on Microsoft Vista Home Premium and it works as expected. It lists the directories and files of the user home files, but can not access / or even ever seeing it. I had to do ftp://username@address. When I use ftp://address, it gave me a permission error, so it will never log in. I think the difference in my setup compared to your setup is the chroot options. I did not use the userlist option. I think placing the users that you gave permission to access your server should be placed in the directory that you specify chroot_list. The manual describes about the chroot feature, but it is confusing at first.
Even though it is not a PAM problem, I suggest get away from using PAM for vsftpd. I think PAM should not be included in any Linux distribution because SELinux is better and has more documentation.
|
|
|
10-10-2007, 01:43 PM
|
#13
|
LQ Newbie
Registered: Sep 2007
Posts: 3
Rep:
|
Thx for your help Electro. The chroot directives did the trick!
I created /etc/vsftpd/chroot_list and added my ftp users to it, then I added the following two lines to my vsftpd.conf file:
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
And now when users log in using internet explorer 7 they will be placed in the ftp root folder.
NOTE: I did not include the chroot_local_user directive which by default is set to no.
I'm still some what confused why internet explorer 7 is behaving differently from other ftp clients though, including previous versions of internet exlorer...
|
|
|
All times are GMT -5. The time now is 07:39 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|