LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   limiting parent directory access in proftpd (https://www.linuxquestions.org/questions/linux-server-73/limiting-parent-directory-access-in-proftpd-918259/)

bluethundr 12-11-2011 10:43 PM
limiting parent directory access in proftpd
 
Hello LinuxQ:

I have a proftpd conf that is working quite well with one exception. A logged in user can navigate all the way up the directory tree to root and add and remove files. Not good.

The directory I want to upload to/download from is /var/www/jf-current. It's parent (/var/www) and above should be off-limits.

It is using a mysql back end for user logins and domains and the good news is that only the virtual ftp user can log in.

I was hoping that by providing you with the configuration file and some info from the logs that I can solve this problem.

Code:
# This is the ProFTPD configuration file
#
# See: http://www.proftpd.org/docs/directives/linked/by-name.html

# Server Config - config used for anything outside a <VirtualHost> or <Global> context
# See: http://www.proftpd.org/docs/howto/Vhost.html

ServerName                        "ProFTPD server"
ServerIdent                        on "FTP Server ready."
ServerAdmin                        bluethundr@mysite.com       
DefaultServer                        on
PassivePorts                    60000 65535
MasqueradeAddress              xx.xx.xx.xx                     

# Cause every FTP user except adm to be chrooted into their home directory
# Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to
# work at session-end time (http://bugzilla.redhat.com/477120)
VRootEngine                        on
VRootAlias                        etc/security/pam_env.conf /etc/security/pam_env.conf

  # Define the log formats
  LogFormat                        default        "%h %l %u %t \"%r\" %s %b"
  LogFormat                        auth        "%v [%P] %h %t \"%r\" %s"
       

# Use pam to authenticate (default) and be authoritative
#AuthPAMConfig                        proftpd
#AuthOrder                        mod_auth_pam.c* mod_auth_unix.c
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd
#PersistentPasswd                off

# Don't do reverse DNS lookups (hangs on DNS problems)
UseReverseDNS                        off

# Set the user and group that the server runs as
User                                nobody
Group                                nobody

 # Dynamic Shared Object (DSO) loading
# See README.DSO and howto/DSO.html for more details
#
# General database support (http://www.proftpd.org/docs/contrib/mod_sql.html)
LoadModule mod_sql.c
#
# Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables
# (contrib/mod_sql_passwd.html)
#  LoadModule mod_sql_passwd.c
#
# Mysql support (requires proftpd-mysql package)
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
LoadModule mod_sql_mysql.c
#
# Postgresql support (requires proftpd-postgresql package)
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
#  LoadModule mod_sql_postgres.c
#
# Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html)
LoadModule mod_quotatab.c
#
# File-specific "driver" for storing quota table information in files
# (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html)
#  LoadModule mod_quotatab_file.c
#
# SQL database "driver" for storing quota table information in SQL tables
# (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html)
LoadModule mod_quotatab_sql.c

# To prevent DoS attacks, set the maximum number of child processes
# to 20.  If you need to allow more than 20 concurrent connections
# at once, simply increase this value.  Note that this ONLY worksuth
# in standalone mode; in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances                        20

# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile                        off



# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
<IfDefine TLS>
  TLSEngine                        on
  TLSRequired                        on
  TLSRSACertificateFile                /etc/pki/tls/certs/proftpd.pem
  TLSRSACertificateKeyFile        /etc/pki/tls/certs/proftpd.pem
  TLSCipherSuite                ALL:!ADH:!DES
  TLSOptions                        NoCertRequest
  TLSVerifyClient                off
  #TLSRenegotiate                ctrl 3600 data 512000 required off timeout 300
  TLSLog                        /var/log/proftpd/tls.log
  <IfModule mod_tls_shmcache.c>
    TLSSessionCache                shm:/file=/var/run/proftpd/sesscache
  </IfModule>
</IfDefine>

# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
<IfDefine DYNAMIC_BAN_LISTS>
  LoadModule                        mod_ban.c
  BanEngine                        on
  BanLog                        /var/log/proftpd/ban.log
  BanTable                        /var/run/proftpd/ban.tab

  # If the same client reaches the MaxLoginAttempts limit 2 times
  # within 10 minutes, automatically add a ban for that client that
  # will expire after one hour.
  BanOnEvent                        MaxLoginAttempts 2/00:10:00 01:00:00

  # Allow the FTP admin to manually add/remove bans
  BanControlsACLs                all allow user ftpadm
</IfDefine>

# Global Config - config common to Server Config and all virtual hosts
# See: http://www.proftpd.org/docs/howto/Vhost.html
<Global>

  # Umask 022 is a good standard umask to prevent new dirs and files
  # from being group and world writable
  Umask                                022
 

  # Allow users to overwrite files and change permissions
  AllowOverwrite                yes
  <Limit ALL SITE_CHMOD>
    AllowAll
  </Limit>
 

 
 # The passwords in MySQL are encrypted using CRYPT
 SQLAuthTypes            Plaintext Crypt
 SQLAuthenticate        users groups

 # used to connect to the database
 # databasename@host database_user user_password
 SQLConnectInfo  ftp@localhost proftpd secret

 # Here we tell ProFTPd the names of the database columns in the "usertable"
 # we want it to interact with. Match the names with those in the db
 SQLUserInfo    ftpuser userid passwd uid gid homedir shell

 # Here we tell ProFTPd the names of the database columns in the "grouptable"
 # we want it to interact with. Again the names match with those in the db
 SQLGroupInfo    ftpgroup groupname gid members

 # Here we tell ProFTPd the names of the database columns in the "grouptable"
 # we want it to interact with. Again the names match with those in the db
 SQLGroupInfo    ftpgroup groupname gid members

 # set min UID and GID - otherwise these are 999 each
 SQLMinID        500

 # Update count every time user logs in
 SQLLog PASS updatecount
 SQLNamedQuery updatecount UPDATE "count=count+1, accessed=now() WHERE userid='%u'" ftpuser

 # Update modified everytime user uploads or deletes a file
 SQLLog  STOR,DELE modified
 SQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuser

 # User quotas
 # ===========
 QuotaEngine on
 QuotaDirectoryTally on
 QuotaDisplayUnits Mb
 QuotaShowQuotas on

 SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}' AND quota_type = '%{1}'"

 SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ftpquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"

 SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" ftpquotatallies

 SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies
 
 SQLLogFile                      /home/bluethundr/sqllog.dbg

 QuotaLimitTable sql:/get-quota-limit
 QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally

 RootLogin off
 RequireValidShell off

</Global>

<VirtualHost xx.xx.xx.xx>
  DefaultRoot      /var/www/jf-current
  <Directory /var/www>
    Umask 022
    <Limit STOR READ WRITE CWD>
        DenyAll
    </Limit>
  </Directory>
  <Directory /var/www/jf-current>
    Umask 022
    <Limit ALL>
        AllowUser jfuser
    </Limit>
  </Directory>
</VirtualHost>

And here is some info from the debug logs when I upload to the parent directory (/var/www)

Code:
10.32.49.8 (xx.xx.xx.xx[xx.xx.xx.xx]) - in dir_check_full(): path = '/var/www', fullpath = '/var/www'.
10.32.49.8 (xx.xx.xx.xx[xx.xx.xx.xx]) - dispatching POST_CMD command 'MLSD' to mod_sql
10.32.49.8 (xx.xx.xx.xx[xx.xx.xx.xx]) - dispatching LOG_CMD command 'MLSD' to mod_sql
10.32.49.8 (xx.xx.xx.xx[xx.xx.xx.xx]) - dispatching LOG_CMD command 'MLSD' to mod_log
10.32.49.8 (xx.xx.xx.xx[xx.xx.xx.xx]) - dispatching LOG_CMD command 'MLSD' to mod_facts
Here is some info on the server that's running the proftpd server:
Code:
CentOS release 5.7 (Final)
[root@ec2-184-73-240-79 ~]# uname -a
Linux ec2-184-73-240-79.compute-1.amazonaws.com 2.6.21.7-2.fc8xen #1 SMP Fri Feb 15 12:34:28 EST 2008 x86_64 x86_64 x86_64 GNU/Linux
For the time being proftpd will only be turned on for testing purposes until this part can be worked out.

Thanks in advance

bathory 12-12-2011 03:45 AM
Hi,

I'm not very familiar with the sql authentication module of proftpd, but I think that the "DefaultRoot" is useless here.
You need to use either the SQLDefaultHomedir directive, or assign a homedir for your users in the proftpd database
Quoting from SQLUserInfo:
Quote:
homedir

Specifies the field in the user table that holds the user's home directory. If the fieldname is specified as "NULL" the database will not be queried for this value and the user's home directory will be set to the value of SQLDefaultHomedir. If no home directory is set with either directive, user authentication will be automatically turned off.
Regards

bluethundr 12-12-2011 06:33 AM
Quote:
Originally Posted by bathory (Post 4547726)
Hi,

I'm not very familiar with the sql authentication module of proftpd, but I think that the "DefaultRoot" is useless here.
You need to use either the SQLDefaultHomedir directive, or assign a homedir for your users in the proftpd database
Quoting from SQLUserInfo:


Regards

Hello and thanks for your reply. Yes you are probably right in that the DefaultRoot has no point here, as the home directory is specified by the SQL:

Code:
mysql> select * from ftpuser;
+----+--------+--------+------+------+---------------------+---------------+-------+---------------------+---------------------+
| id | userid | passwd | uid  | gid  | homedir            | shell        | count | accessed            | modified            |
+----+--------+--------+------+------+---------------------+---------------+-------+---------------------+---------------------+
|  1 | myuser | secret | 2001 | 2001 | /var/www/jf-current | /sbin/nologin |  122 | 2011-12-11 22:05:09 | 2011-12-11 22:05:24 |
+----+--------+--------+------+------+---------------------+---------------+-------+---------------------+---------------------+
1 row in set (0.00 sec)
That said, I'm not certain what adding a SQLDefaultHomedir would buy me given that the homedir is set as in the above example.

Thankfully the logged in user can access his home directory as specified in the SQL. The issue is that once the ftp user logs in he can CD up the directory tree all the way to root and add or delete files.

But I will try removing the DefaultRoot directory as that part of it is handled by the SQL as you point out. Thank you for that!

bathory 12-12-2011 07:11 AM
Quote:
The issue is that once the ftp user logs in he can CD up the directory tree all the way to root and add or delete files.
While it's possible for an ordinary user to get off the jail, it's not possible to write (add, delete files) in /. So you better have a closer look to the permissions of the directory tree.


Quote:
That said, I'm not certain what adding a SQLDefaultHomedir would buy me given that the homedir is set as in the above example.
At least you could try.


Quote:
But I will try removing the DefaultRoot directory as that part of it is handled by the SQL as you point out
If that doesn't work you may use the default "DefaultRoot ~" to see if it's read by the server and the user gets jailed into his homedir, no matter how it's defined.

Regards

bluethundr 12-13-2011 11:16 AM
fixed!
 
Quote:
Originally Posted by bathory (Post 4547851)
While it's possible for an ordinary user to get off the jail, it's not possible to write (add, delete files) in /. So you better have a closer look to the permissions of the directory tree.



At least you could try.



If that doesn't work you may use the default "DefaultRoot ~" to see if it's read by the server and the user gets jailed into his homedir, no matter how it's defined.

Regards

Hello Bathory, and thanks for your reply. I was able to solve this CD up problem I was having by taking your advice. Thanks for your help!


All times are GMT -5. The time now is 08:09 PM.