Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a proftpd conf that is working quite well with one exception. A logged in user can navigate all the way up the directory tree to root and add and remove files. Not good.
The directory I want to upload to/download from is /var/www/jf-current. It's parent (/var/www) and above should be off-limits.
It is using a mysql back end for user logins and domains and the good news is that only the virtual ftp user can log in.
I was hoping that by providing you with the configuration file and some info from the logs that I can solve this problem.
Code:
# This is the ProFTPD configuration file
#
# See: http://www.proftpd.org/docs/directives/linked/by-name.html
# Server Config - config used for anything outside a <VirtualHost> or <Global> context
# See: http://www.proftpd.org/docs/howto/Vhost.html
ServerName "ProFTPD server"
ServerIdent on "FTP Server ready."
ServerAdmin bluethundr@mysite.com
DefaultServer on
PassivePorts 60000 65535
MasqueradeAddress xx.xx.xx.xx
# Cause every FTP user except adm to be chrooted into their home directory
# Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to
# work at session-end time (http://bugzilla.redhat.com/477120)
VRootEngine on
VRootAlias etc/security/pam_env.conf /etc/security/pam_env.conf
# Define the log formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
# Use pam to authenticate (default) and be authoritative
#AuthPAMConfig proftpd
#AuthOrder mod_auth_pam.c* mod_auth_unix.c
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd
#PersistentPasswd off
# Don't do reverse DNS lookups (hangs on DNS problems)
UseReverseDNS off
# Set the user and group that the server runs as
User nobody
Group nobody
# Dynamic Shared Object (DSO) loading
# See README.DSO and howto/DSO.html for more details
#
# General database support (http://www.proftpd.org/docs/contrib/mod_sql.html)
LoadModule mod_sql.c
#
# Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables
# (contrib/mod_sql_passwd.html)
# LoadModule mod_sql_passwd.c
#
# Mysql support (requires proftpd-mysql package)
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
LoadModule mod_sql_mysql.c
#
# Postgresql support (requires proftpd-postgresql package)
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
# LoadModule mod_sql_postgres.c
#
# Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html)
LoadModule mod_quotatab.c
#
# File-specific "driver" for storing quota table information in files
# (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html)
# LoadModule mod_quotatab_file.c
#
# SQL database "driver" for storing quota table information in SQL tables
# (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html)
LoadModule mod_quotatab_sql.c
# To prevent DoS attacks, set the maximum number of child processes
# to 20. If you need to allow more than 20 concurrent connections
# at once, simply increase this value. Note that this ONLY worksuth
# in standalone mode; in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 20
# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile off
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
<IfDefine TLS>
TLSEngine on
TLSRequired on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
TLSCipherSuite ALL:!ADH:!DES
TLSOptions NoCertRequest
TLSVerifyClient off
#TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.log
<IfModule mod_tls_shmcache.c>
TLSSessionCache shm:/file=/var/run/proftpd/sesscache
</IfModule>
</IfDefine>
# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
<IfDefine DYNAMIC_BAN_LISTS>
LoadModule mod_ban.c
BanEngine on
BanLog /var/log/proftpd/ban.log
BanTable /var/run/proftpd/ban.tab
# If the same client reaches the MaxLoginAttempts limit 2 times
# within 10 minutes, automatically add a ban for that client that
# will expire after one hour.
BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00
# Allow the FTP admin to manually add/remove bans
BanControlsACLs all allow user ftpadm
</IfDefine>
# Global Config - config common to Server Config and all virtual hosts
# See: http://www.proftpd.org/docs/howto/Vhost.html
<Global>
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable
Umask 022
# Allow users to overwrite files and change permissions
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
# The passwords in MySQL are encrypted using CRYPT
SQLAuthTypes Plaintext Crypt
SQLAuthenticate users groups
# used to connect to the database
# databasename@host database_user user_password
SQLConnectInfo ftp@localhost proftpd secret
# Here we tell ProFTPd the names of the database columns in the "usertable"
# we want it to interact with. Match the names with those in the db
SQLUserInfo ftpuser userid passwd uid gid homedir shell
# Here we tell ProFTPd the names of the database columns in the "grouptable"
# we want it to interact with. Again the names match with those in the db
SQLGroupInfo ftpgroup groupname gid members
# Here we tell ProFTPd the names of the database columns in the "grouptable"
# we want it to interact with. Again the names match with those in the db
SQLGroupInfo ftpgroup groupname gid members
# set min UID and GID - otherwise these are 999 each
SQLMinID 500
# Update count every time user logs in
SQLLog PASS updatecount
SQLNamedQuery updatecount UPDATE "count=count+1, accessed=now() WHERE userid='%u'" ftpuser
# Update modified everytime user uploads or deletes a file
SQLLog STOR,DELE modified
SQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuser
# User quotas
# ===========
QuotaEngine on
QuotaDirectoryTally on
QuotaDisplayUnits Mb
QuotaShowQuotas on
SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ftpquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" ftpquotatallies
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies
SQLLogFile /home/bluethundr/sqllog.dbg
QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally
RootLogin off
RequireValidShell off
</Global>
<VirtualHost xx.xx.xx.xx>
DefaultRoot /var/www/jf-current
<Directory /var/www>
Umask 022
<Limit STOR READ WRITE CWD>
DenyAll
</Limit>
</Directory>
<Directory /var/www/jf-current>
Umask 022
<Limit ALL>
AllowUser jfuser
</Limit>
</Directory>
</VirtualHost>
And here is some info from the debug logs when I upload to the parent directory (/var/www)
Code:
10.32.49.8 (xx.xx.xx.xx[xx.xx.xx.xx]) - in dir_check_full(): path = '/var/www', fullpath = '/var/www'.
10.32.49.8 (xx.xx.xx.xx[xx.xx.xx.xx]) - dispatching POST_CMD command 'MLSD' to mod_sql
10.32.49.8 (xx.xx.xx.xx[xx.xx.xx.xx]) - dispatching LOG_CMD command 'MLSD' to mod_sql
10.32.49.8 (xx.xx.xx.xx[xx.xx.xx.xx]) - dispatching LOG_CMD command 'MLSD' to mod_log
10.32.49.8 (xx.xx.xx.xx[xx.xx.xx.xx]) - dispatching LOG_CMD command 'MLSD' to mod_facts
Here is some info on the server that's running the proftpd server:
Code:
CentOS release 5.7 (Final)
[root@ec2-184-73-240-79 ~]# uname -a
Linux ec2-184-73-240-79.compute-1.amazonaws.com 2.6.21.7-2.fc8xen #1 SMP Fri Feb 15 12:34:28 EST 2008 x86_64 x86_64 x86_64 GNU/Linux
For the time being proftpd will only be turned on for testing purposes until this part can be worked out.
I'm not very familiar with the sql authentication module of proftpd, but I think that the "DefaultRoot" is useless here.
You need to use either the SQLDefaultHomedir directive, or assign a homedir for your users in the proftpd database
Quoting from SQLUserInfo:
Quote:
homedir
Specifies the field in the user table that holds the user's home directory. If the fieldname is specified as "NULL" the database will not be queried for this value and the user's home directory will be set to the value of SQLDefaultHomedir. If no home directory is set with either directive, user authentication will be automatically turned off.
I'm not very familiar with the sql authentication module of proftpd, but I think that the "DefaultRoot" is useless here.
You need to use either the SQLDefaultHomedir directive, or assign a homedir for your users in the proftpd database
Quoting from SQLUserInfo:
Regards
Hello and thanks for your reply. Yes you are probably right in that the DefaultRoot has no point here, as the home directory is specified by the SQL:
That said, I'm not certain what adding a SQLDefaultHomedir would buy me given that the homedir is set as in the above example.
Thankfully the logged in user can access his home directory as specified in the SQL. The issue is that once the ftp user logs in he can CD up the directory tree all the way to root and add or delete files.
But I will try removing the DefaultRoot directory as that part of it is handled by the SQL as you point out. Thank you for that!
The issue is that once the ftp user logs in he can CD up the directory tree all the way to root and add or delete files.
While it's possible for an ordinary user to get off the jail, it's not possible to write (add, delete files) in /. So you better have a closer look to the permissions of the directory tree.
Quote:
That said, I'm not certain what adding a SQLDefaultHomedir would buy me given that the homedir is set as in the above example.
At least you could try.
Quote:
But I will try removing the DefaultRoot directory as that part of it is handled by the SQL as you point out
If that doesn't work you may use the default "DefaultRoot ~" to see if it's read by the server and the user gets jailed into his homedir, no matter how it's defined.
While it's possible for an ordinary user to get off the jail, it's not possible to write (add, delete files) in /. So you better have a closer look to the permissions of the directory tree.
At least you could try.
If that doesn't work you may use the default "DefaultRoot ~" to see if it's read by the server and the user gets jailed into his homedir, no matter how it's defined.
Regards
Hello Bathory, and thanks for your reply. I was able to solve this CD up problem I was having by taking your advice. Thanks for your help!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
limiting parent directory access in proftpd
fixed!
