How do I set a real system user in ProFTP to set to a specific directory?

j.smith1981 · 12-13-2010, 04:17 AM

Quote:

Originally Posted by bathory

With the proftpd.conf you posted above this is normal. You should use:

Code:

DefaultRoot ~ !adm !jeremy
DefaultRoot /www jeremy

I will have another go then.

Thanks,
Jez.

j.smith1981 · 12-13-2010, 09:16 AM

Ok that works, well kind of.

But what I am after with a bit of work, is to be able to set say, if the user 'jeremy'.

Was attempting to connect to ftp.mydomain.com

They would be logging into the /www directory yes?

If they wanted to say connect to just the IP address (aka the default settings), they would be taken to their /home/jeremy directory right?

I have tried including this config here:

Quote:

# This is the ProFTPD configuration file
# $Id: proftpd.conf,v 1.1 2004/02/26 17:54:30 thias Exp $

ServerName "FTP Server"
ServerIdent on "FTP Server ready."
ServerAdmin root@localhost
ServerType standalone
#ServerType inetd
DefaultServer on
AccessGrantMsg "User %u logged in."
#DisplayConnect /etc/ftpissue
#DisplayLogin /etc/ftpmotd
#DisplayGoAway /etc/ftpgoaway
DeferWelcome off

# Use this to excude users from the chroot
DefaultRoot ~ !adm !jeremy

# Use pam to authenticate (default) and be authoritative
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c

# Do not perform ident nor DNS lookups (hangs when the port is filtered)
IdentLookups off
UseReverseDNS off

# Port 21 is the standard FTP port.
Port 21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# Default to show dot files in directory listings
ListOptions "-a"

# See Configuration.html for these (here are the default values)
#MultilineRFC2228 off
#RootLogin off
#LoginPasswordPrompt on
#MaxLoginAttempts 3
#MaxClientsPerHost none
#AllowForeignAddress off # For FXP

# Allow to resume not only the downloads but the uploads too
AllowRetrieveRestart on
AllowStoreRestart on

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 20

# Set the user and group that the server normally runs at.
User nobody
Group nobody

# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile no

# This is where we want to put the pid file
ScoreboardFile /var/run/proftpd.score

# Normally, we want users to do a few things.
<Global>
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
</Global>

# Define the log formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"

# TLS
# Explained at http://www.castaglia.org/proftpd/modules/mod_tls.html
#TLSEngine on
#TLSRequired on
#TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
#TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
#TLSCipherSuite ALL:!ADH:!DES
#TLSOptions NoCertRequest
#TLSVerifyClient off
##TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
#TLSLog /var/log/proftpd/tls.log

# SQL authentication Dynamic Shared Object (DSO) loading
# See README.DSO and howto/DSO.html for more details.
#<IfModule mod_dso.c>
# LoadModule mod_sql.c
# LoadModule mod_sql_mysql.c
# LoadModule mod_sql_postgres.c
#</IfModule>

# A basic anonymous configuration, with an upload directory.
#<Anonymous ~ftp>
# User ftp
# Group ftp
# AccessGrantMsg "Anonymous login ok, restrictions apply."

# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp

# # Limit the maximum number of anonymous logins
# MaxClients 10 "Sorry, max %m users -- try again later"
#
# # Put the user into /pub right after login
# DefaultChdir /pub
#
# # We want 'welcome.msg' displayed at login, '.message' displayed in
# # each newly chdired directory and tell users to read README* files.
# DisplayLogin /welcome.msg
# DisplayFirstChdir .message
# DisplayReadme README*
#
# # Some more cosmetic and not vital stuff
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# # Limit WRITE everywhere in the anonymous chroot
# <Limit WRITE SITE_CHMOD>
# DenyAll
# </Limit>
#
# # An upload directory that allows storing files but not retrieving
# # or creating directories.
# <Directory uploads/*>
# AllowOverwrite no
# <Limit READ>
# DenyAll
# </Limit>
#
# <Limit STOR>
# AllowAll
# </Limit>
# </Directory>
#
# # Don't write anonymous accesses to the system wtmp file (good idea!)
# WtmpLog off
#
# # Logging for the anonymous transfers
# ExtendedLog /var/log/proftpd/access.log WRITE,READ default
# ExtendedLog /var/log/proftpd/auth.log AUTH auth
#
#</Anonymous>
<VirtualHost ftp.mydomain.co.uk>
ServerName "ftp.mydomain.co.uk"
Group jeremy
User jeremy

# just to see if this works!
DefaultRoot ~ !jeremy
DefaultRoot /www jeremy
</VirtualHost>

But again its not working, can you see any problems with my config file?

Again if their not connecting to the domain, then it'll be their /home/* which ever folder their user directory is.

If its the domain for that website, then it has to be the /www/ folder, any suggestions appreciated,
Jez.

j.smith1981 · 12-13-2010, 11:19 AM

Quote:

Originally Posted by j.smith1981

Ok that works, well kind of.

But what I am after with a bit of work, is to be able to set say, if the user 'jeremy'.

Was attempting to connect to ftp.mydomain.com

They would be logging into the /www directory yes?

If they wanted to say connect to just the IP address (aka the default settings), they would be taken to their /home/jeremy directory right?

I have tried including this config here:

But again its not working, can you see any problems with my config file?

Again if their not connecting to the domain, then it'll be their /home/* which ever folder their user directory is.

If its the domain for that website, then it has to be the /www/ folder, any suggestions appreciated,
Jez.

I mean I could prefix the lot with ftp_<username> but I was hoping to be able to use for example 'jeremy' and not 'ftp_jeremy' for my logins to FTP.

Hmm this is really frustrating, cant see why when it works in the main config but not in a virtual host config, its just bizzare.

bathory · 12-13-2010, 01:35 PM

If you want to use a VirtualHost, you should give it a different port due to the way ftp protocol works.
Quoting from the ProFTPD Virtual Servers Howto

Quote:

All FTP virtual hosts are based on unique IP address/port combinations, not on DNS names.

So use something like:

Code:

<VirtualHost ftp.mydomain.co.uk>
ServerName "ftp.mydomain.co.uk"
Group jeremy
User jeremy
Port 2121
DefaultRoot /www
</VirtualHost>

Regards

j.smith1981 · 12-14-2010, 03:13 AM

Quote:

Originally Posted by bathory

If you want to use a VirtualHost, you should give it a different port due to the way ftp protocol works.
Quoting from the ProFTPD Virtual Servers Howto

So use something like:

Code:

<VirtualHost ftp.mydomain.co.uk>
ServerName "ftp.mydomain.co.uk"
Group jeremy
User jeremy
Port 2121
DefaultRoot /www
</VirtualHost>

Regards

Oh will keep that in mind, wonder if setting yea just the IP then would work, seems to suggest that when you quoted that text.

Just trying to go through what I did previously, or I will have to go for the prefix if this doesnt work of course.

But as always, thanks ever so much for your help, just will have to face facts (port 21 is all I want to use for it), is that this wont simply work, but suppose its not too annoying since it really is only going to be me really using it, just going to be allowing normal users, my clients to download the work I have done for them.

When they have confirmed they have whatever work it is I have done working on there's, I will remove the account and their allowed them to ask me again to release it and I will reinstate their account.

Will give this another go though using justt the IP address, surely if I use 192.168.0.1 say thats ftp.mydomain.com

Then say ftp.my2domain.com points at 192.168.0.2

Using say 192.168.0.1 or last digit being 2 will relate, should work I think.

Then see if that works, surely if it has to be unique it can just work off IPs yea?

Going to try this, be ace if it works, if not going to have to go through this the way I did not want to lol.

But as always thanks again ever so much for all your help,
Jeremy.

PS I have a local dns configured on my local network, not available to the outside world.

j.smith1981 · 12-14-2010, 03:25 AM

No it wont, ah well (back to the drawing board lol).

Will have to prefix them from now on like ftp_<username> (so to speak).

I dont appear to have any mysql configs, I remember doing a mysql virtual login using sorry virtual users with proftp using mysql as the auth type sort of.

But everytime I try and amend the configs in the proftpd.conf it doesnt work, any suggestions, sorry or would you rather me quote the error?

Just wondering if this is a much better way around it or not?

Thanks,
Jez.

bathory · 12-14-2010, 04:05 AM

If you have 2 IPs available, you can use something like:

Code:

...
DefaultAddress 192.168.0.1
<VirtualHost 192.168.0.1>
DefaultRoot ~
...
</VirtualHost>
<VirtualHost 192.168.0.2>
DefaultRoot /www
...
</VirtualHost>

j.smith1981 · 12-14-2010, 04:27 AM

Oh thank god!

That worked!

I will post my configs so people know how to do this if their having any trouble and should I have problems remembering what I did previously lol.

I dont think I stopped the server and started it again, but it worked.

Quote:

<VirtualHost 192.168.0.1>
ServerName "ftp.mydomain.co.uk"
DefaultChdir /www
</VirtualHost>

This now uses the default directory, now going to see if I can chroot the user.

But it worked, the problem is like what you said or the documentation says I cannot use the domain, it must be a unique IP address, but as I have a domain setup for each one, then thats what it goes to, going to see if I can stop the welcome message and just say (so it doesnt show the IP for the LAN, want it to be as secure as possible), its bringing up when I go into the FTP client:

Quote:

Connected to ftp.mydomain.co.uk.
220 ProFTPD 1.3.3c Server (ftp.mydomain.co.uk) [::ffff:192.168.0.1]
500 AUTH not understood
500 AUTH not understood
KERBEROS_V4 rejected as an authentication type
Name (ftp.mydomain.co.uk:root): jeremy
331 Password required for jeremy
Password:
230 User jeremy logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
227 Entering Passive Mode (192,168,0,1,131,115).
150 Opening ASCII mode data connection for file list

Is there anyway of stopping it from showing the LAN IP its connecting to? Just got this fear that users will if their knowledgeable about hacking, trying to break into my system you know?

Thanks again and I thought I would say that its now working, since you have helped me out a great deal!

Thanks again and I look forward to any responses,
Jez.

j.smith1981 · 12-14-2010, 04:56 AM

Its not working if I use my web browser.

Its doing exactly like before, when I use my client its going into the /www folder perfectly.

How is this supposed to work? I thought that it would be the same for both the FTP client and the web Browser?

In essence all thats happening is when I go via the web browser login, its taking me to:
/home/<username> in this example its user 'jeremy' home directory

Though when I go in on the server itself using the shell commandline in putty its logging me into the /www like what I want.

Why is this not both going into the /www, do I have to set another config to get this working at all?

Any helps appreciated,
Jez

PS These are now my example configs for the virtual server (these are from a fresh install of ProFTP v 1.3.3c-1.el4.rf , this is from Centos 4.8 i386 using command rpm -q proftpd):

Quote:

# This is the ProFTPD configuration file
# $Id: proftpd.conf,v 1.1 2004/02/26 17:54:30 thias Exp $

ServerName "FTP server"
ServerIdent on "FTP Server ready."
ServerAdmin root@localhost
ServerType standalone
#ServerType inetd
DefaultServer on
AccessGrantMsg "User %u logged in."
#DisplayConnect /etc/ftpissue
#DisplayLogin /etc/ftpmotd
#DisplayGoAway /etc/ftpgoaway
DeferWelcome off

# Use this to excude users from the chroot
DefaultRoot ~ !adm !jeremy

# Use pam to authenticate (default) and be authoritative
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c

# Do not perform ident nor DNS lookups (hangs when the port is filtered)
IdentLookups off
UseReverseDNS off

# Port 21 is the standard FTP port.
Port 21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# Default to show dot files in directory listings
ListOptions "-a"

# See Configuration.html for these (here are the default values)
#MultilineRFC2228 off
#RootLogin off
#LoginPasswordPrompt on
#MaxLoginAttempts 3
#MaxClientsPerHost none
#AllowForeignAddress off # For FXP

# Allow to resume not only the downloads but the uploads too
AllowRetrieveRestart on
AllowStoreRestart on

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 20

# Set the user and group that the server normally runs at.
User nobody
Group nobody

# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile no

# This is where we want to put the pid file
ScoreboardFile /var/run/proftpd.score

# Normally, we want users to do a few things.
<Global>
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
</Global>

# Define the log formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"

# TLS
# Explained at http://www.castaglia.org/proftpd/modules/mod_tls.html
#TLSEngine on
#TLSRequired on
#TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
#TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
#TLSCipherSuite ALL:!ADH:!DES
#TLSOptions NoCertRequest
#TLSVerifyClient off
##TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
#TLSLog /var/log/proftpd/tls.log

# SQL authentication Dynamic Shared Object (DSO) loading
# See README.DSO and howto/DSO.html for more details.
#<IfModule mod_dso.c>
# LoadModule mod_sql.c
# LoadModule mod_sql_mysql.c
# LoadModule mod_sql_postgres.c
#</IfModule>

# A basic anonymous configuration, with an upload directory.
#<Anonymous ~ftp>
# User ftp
# Group ftp
# AccessGrantMsg "Anonymous login ok, restrictions apply."
#
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
#
# # Limit the maximum number of anonymous logins
# MaxClients 10 "Sorry, max %m users -- try again later"
#
# # Put the user into /pub right after login
# #DefaultChdir /pub
#
# # We want 'welcome.msg' displayed at login, '.message' displayed in
# # each newly chdired directory and tell users to read README* files.
# DisplayLogin /welcome.msg
# DisplayFirstChdir .message
# DisplayReadme README*
#
# # Some more cosmetic and not vital stuff
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# # Limit WRITE everywhere in the anonymous chroot
# <Limit WRITE SITE_CHMOD>
# DenyAll
# </Limit>
#
# # An upload directory that allows storing files but not retrieving
# # or creating directories.
# <Directory uploads/*>
# AllowOverwrite no
# <Limit READ>
# DenyAll
# </Limit>
#
# <Limit STOR>
# AllowAll
# </Limit>
# </Directory>
#
# # Don't write anonymous accesses to the system wtmp file (good idea!)
# WtmpLog off
#
# # Logging for the anonymous transfers
# ExtendedLog /var/log/proftpd/access.log WRITE,READ default
# ExtendedLog /var/log/proftpd/auth.log AUTH auth
#
#</Anonymous>

<VirtualHost 192.168.0.1>
User jeremy
Group ftpgroup

ServerName ftp.mydomain.co.uk
ServerAdmin hostmaster@mydomain.co.uk

DefaultChdir /www/mydomain
DefaultRoot ~ !jeremy
DefaultRoot /www/mydomain

AccessGrantMsg "You are now logged into ftp.mydomain.co.uk as %u"
</VirtualHost>

bathory · 12-14-2010, 05:44 AM

If it works from command line ftp and not for the browser, I guess it's a browser cache problem. Clear your browser cache and try again to connect.
Regarding the server IP, you can use another "ServerIdent on ..." into the Virtualhost definition to hide it

j.smith1981 · 12-14-2010, 06:42 AM

Sorry I changed this didnt realise there was a 2nd reply.

I will definately clear the cache.

I was going to say about the other config above your post but thats what I have already done.

Makes sense will post back what ever the response, so I thank you all massively for helping me!

Much appreciated,
Jez.

j.smith1981 · 12-14-2010, 06:57 AM

Ok thats confused me!

Internet explorers showing me the / root folder, so everythings exposed (though I dont have port 21 open globally in IPtables of course!).

But then Firefox brings up the home directory for user 'jeremy' in this case.

I have double cleared the cache, just to make sure, is it possible that these browsers do this anyway and its a browser issue?

Its just that would make sense I mean if their both bringing up the wrong directories, and the ftp client in Linux is working, its definately weird.

Any suggestions?

Thanks and I appreciate any replies in advance,
Jez.

bathory · 12-14-2010, 08:32 AM

I don't know why IE goes to /, but if it indeed goes there, then something is wrong with the chrooting.
For the rest, if you want to go with vhosts, you should use the configuration of post #22 if you have 2 IP addresses.
In any other case, except for the 2 different users solution, consider using scp to transfer files in user's homedir and ftp for transferring files in /www (with /www defined as Defaultroot for that user)

Regards