LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Quirky VSFTPD.CONF - cannot jail users (https://www.linuxquestions.org/questions/linux-software-2/quirky-vsftpd-conf-cannot-jail-users-4175455418/)

linuxman2013 03-24-2013 07:49 PM
Quirky VSFTPD.CONF - cannot jail users
 
For some reason my vsftpd.conf file allows the system users, added using useradd and groupadd commands to browse other directories - even though I set the jailed option. Can anyone figure out what I did wrong in vsftpconf. I want clients to RW and browse just one directory! Its like vsftp auto logs into the root directory. Here’s how it looks:

Code:

listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
#local_umask=022
use_localtime=YES
xferlog_enable=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem

rayfordj 03-25-2013 01:20 PM
Not sure. I'm not seeing anything that immediately jumps out as a culprit. Here's a running instance from a system I've setup that will chroot user to their defined home-dir and not navigate above it.

Code:
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
banner_file=/etc/vsftpd/banner_vsftpd
chroot_local_user=YES
listen=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
Are you defining the correct home-dir when adding the user via useradd? For those users created that are dropped to root-filesystem (/), what value is set in the directory field of /etc/passwd for them?

linuxman2013 03-27-2013 03:57 AM
Thanks for the info Ray. I'm a little rusty. I haven't worked with groups or users in ages. I'm trying my best to follow the vsftp tutorials on youtube.com. Let me just say, that this is a real pain in the behind! It seems like there's a million and one steps involved with setting up an FTP server with ssl! Gone are the good old days of win9x when all we had to do was run app with a pretty GUI to select files. This is a nightmare! I typed groups on my system and I cant figure out why my user name is associated with so many god darn groups....I see admin, cdrom, samba, dip, lpaadmin, etc. I know that the system creates a group when a user is created. I don't get the purpose of defining all these groups...feel free to explain

eklavya 03-28-2013 01:15 AM
You have not defined attribute local_root in your vsftpd.conf. It defines the path of the directory where you want to jail the user.
Jail means user can go to sub-directories but not in parent directories. User will log into this directory and can not go to the parent directory.

Add this line in your vsftpd.conf
Code:
local_root=/path/of/the/directory
Restart the vsftpd server because you have made changes in vsftpd.conf

linuxman2013 03-28-2013 04:12 AM
@eklavya hm interesting I'll try both suggestions as soon as I get a handle of user and group admin. I knew it was just a matter of setting the right attributes for the FTP. I wonder how this works with SSL. According, to the Ubuntu forums adding SSL security is just as simple.

jsaravana87 03-28-2013 04:18 AM
You can enable vsftpd with virtual user to jail the user to home directory .Virtual users can therefore be more secure than real user

http://www.cyberciti.biz/tips/centos...ual-users.html

rayfordj 03-28-2013 07:10 AM
Quote:
Originally Posted by linuxman2013 (Post 4920378)
I wonder how this works with SSL.
You have a few options and parameters to set to define how you want it to operate. Each have pros/cons to be considered.
Examples:
  • Optional use of SSL (client decides)
  • Login over SSL / Data transfers non-SSL
  • Login & data transfers performed over SSL (server enforced)
  • etc.

linuxman2013 03-30-2013 07:42 PM
@arun5002 Virtual users are meant for web admins according to the info online. It would require the installation of Apache web server. I'm looking for a minimalist approach.

awk -F":" '{ print "username: " $1 "\t\tuid:" $3 }' /etc/passwd | less
lists all the users groups on my system....I can't make heads or tails out of it! very preplexing.

cat /etc/passwd | grep "/home" |cut -d: -f1 lists the following users:

syslog
usbmux
saned
joe
dummy

i never created syslog,usbmux or saned. How can they possibly have home directories?

linuxman2013 04-04-2013 03:20 PM
Can someone pls explain the procedure of adding users to vsftp? I know that there're two types of users, virtual and system. I managed to set up a server and add an user using by following this guide. I don't want virtual users now, as it requires installation of Apache web server, which would bloat my system. After making a "fake shell" and configuring the vsftpconf file to jail users, I logged in as ftpuser. For some reason I cannot login as root or r/w to the jailed directory. How exactly does vsftpd keep track of users with this method? There's just too much info out there on the subject.

rayfordj 04-06-2013 09:58 AM
root and a handful of other usernames are not permitted login via ftp by default. The list of names are typically found in file /etc/vsftpd/ftpusers and/or /etc/vsftpd/user_list. This is because of the (default) clear-text nature of FTP leaving the root user's password freely obtainable to anyone along the path with even the slightest interest of capturing clear-text passwords.

If you are able to successfully authenticate via FTP for your user account, but unable to read the directory contents it is likely a filesystem permissions problem. Ensure the account has at least e(x)ecute permissions to all directories in the path to its home directory and at least (r)ead and e(x)ecute on its home directory.
Code:
$ ls -ld /home/
drwxr-xr-x. 6 root root 4096 Apr  6 09:15 /home/

$ ls -ld /home/demo1/
drwx------. 5 demo1 demo1 4096 Apr  6 09:15 /home/demo1/
Write problems could be similarly filesystem permission induced, ensure the write_enable option is set correctly in vsftpd.conf and check filesystem permissions on home directory for (w)rite access.
Code:
$ ls -ld /home/demo1/
drwx------. 5 demo1 demo1 4096 Apr  6 09:15 /home/demo1/
Depending on the system installation you may need to contend with mandatory access controls (SELinux, AppArmor, etc.) in addition to discretionary access controls (filesystem permissions, file or directory ownership, etc.)


My first post contained a working example of a non-SSL enabled vsftpd configuration file that permits my local users the ability to login via FTP and be chrooted to their defined home directory. I am defining the term 'local users' as those created through the use of useradd (or adduser) and having a password set via passwd although it could be through various other mechanisms too, such as LDAP. I believe in your terminology used above that would be a 'system' user. If you're wanting a robust, feature-rich, SSL-enabled ftp server, my advice is to start slow and tackle one configuration objective (AKA: problem) at a time. Start with a working configuration that does what you want with what I'll call simple ftp (this is pretty much done right out of the box with a default vsftpd.conf), then enable local users and get that working how you desire, once that's completed, move on to the next step whether creating SSL certificates or otherwise. I'd advise performing the build-up with it not Internet facing until you are satisfied with your configuration to meet your intended objectives.

Code:
$ sudo grep -v ^# /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
listen=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES


$ sudo service vsftpd restart
Shutting down vsftpd:                                      [FAILED]
Starting vsftpd for vsftpd:                                [  OK  ]

$ sudo useradd demo1

$ sudo passwd demo1
Changing password for user demo1.
New password: demo1-password
Retype new password: demo1-password
passwd: all authentication tokens updated successfully.

$ ftp server.domain.local
Connected to server.domain.local (172.16.8.11).
220 (vsFTPd 2.3.4)
Name (server.domain.local:linuxman2013): demo1
331 Please specify the password.
Password: demo1-password
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
227 Entering Passive Mode (172,16,8,11,180,163).
150 Here comes the directory listing.
drwxr-xr-x    3 502      502          4096 Nov 14  2010 Documents
226 Directory send OK.
ftp> bye
221 Goodbye.
Notice how 'pwd' is "/". The demo1 user is at the root of the ftp directory structure which happens to be his home directory (/home/demo1, in this case) and is unable to navigate up any directories ('cd ..' or 'cd /' or 'cd /tmp' etc.). If we change the chroot_local_user value and repeat, you'll see demo1 is no longer chroot to home directory and can freely navigate the filesystem.

Code:
$ sudo sed -i  's/\(chroot_local_user=\).*$/\1NO/g' /etc/vsftpd/vsftpd.conf

$ sudo service vsftpd restart
Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]

$ ftp server.domain.local
Connected to server.domain.local (172.16.8.11).
220 (vsFTPd 2.3.4)
Name (server.domain.local:linuxman2013): demo1
331 Please specify the password.
Password: demo1-password
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/demo1"
ftp> ls
227 Entering Passive Mode (172,16,8,11,117,224).
150 Here comes the directory listing.
drwxr-xr-x    3 502      502          4096 Nov 14  2010 Documents
226 Directory send OK.
ftp> cd /
250 Directory successfully changed.
ftp> pwd
257 "/"
ftp> ls
227 Entering Passive Mode (172,16,8,11,109,116).
150 Here comes the directory listing.
dr-xr-xr-x    2 0        0            4096 Jun 14  2011 bin
dr-xr-xr-x    5 0        0            1024 Jul 11  2011 boot
drwxr-xr-x    9 0        0            4096 Apr 06 02:46 cgroup
drwxr-xr-x  20 0        0            4040 Apr 06 02:55 dev
drwxr-xr-x  141 0        0          12288 Apr 06 14:16 etc
drwxr-xr-x    6 0        0            4096 Apr 06 14:15 home
dr-xr-xr-x  12 0        0            4096 Jun 26  2012 lib
dr-xr-xr-x  11 0        0          12288 Aug 14  2011 lib64
drwx------    2 0        0          16384 Sep 10  2010 lost+found
drwxr-xr-x    3 0        0            4096 Apr 06 02:48 media
drwxr-xr-x    2 0        0              0 Apr 06 02:46 misc
drwxr-xr-x    3 0        0            4096 Oct 15 18:17 mnt
drwxr-xr-x    2 0        0              0 Apr 06 02:46 net
drwxr-xr-x    4 0        0            4096 Jun 26  2012 opt
dr-xr-xr-x  308 0        0              0 Apr 05 21:46 proc
dr-xr-x---    9 0        0            4096 Oct 15 18:38 root
dr-xr-xr-x    2 0        0          12288 Aug 14  2011 sbin
drwxr-xr-x    7 0        0              0 Apr 05 21:46 selinux
drwxr-xr-x    2 0        0            4096 Oct 01  2009 srv
drwxr-xr-x  13 0        0              0 Apr 05 21:46 sys
drwxrwxrwt  25 0        0            4096 Apr 06 08:15 tmp
drwxr-xr-x  15 0        0            4096 Sep 10  2010 usr
drwxr-xr-x  26 0        0            4096 Oct 22  2010 var
226 Directory send OK.
ftp> bye
221 Goodbye.
Notice how 'pwd' is now "/home/demo1". The demo1 user begins in defined home directory but is not at the root of the ftp directory structure like before. Instead, now demo1 account is no longer confined to its home directory via the chroot and can navigate the system much more broadly.

linuxman2013 04-06-2013 10:59 AM
@Rayford Now I see why root cannot login. Its not premitted in the files you listed! I had to manually configure the local_root option to local_root=home/ftp/, changing it from /home/ftp/$USER. VSFTPD failed to recognize the $USER variable, for some reason. Now I can login and it appears jailed (in other words I cannot nav above the user's home directory).

I can access the directory below the jailed ftp directory, which on my system is "ftpuser" - the acnt that I use to login. The problem that I'm trying to tackle at the momement is r/w permissions. Its like I have to use nautilus to allow "Others" to rwx to the "ftpuser" directory, 777. From my understanding, specificying such an option would allow anyone logged in to r/w to the ftpuser directory.

I want just the "ftpuser" directory set to 700. So, no one else on the system or FTP server can modify the data in the ftpuser's directory. I'll try manually setting it to 700 through cmd line. As it stands now, it seems like I can write to ftp/ftpsuser/ and ftp/ when set to 777, although its jailed!

rayfordj 04-06-2013 11:26 AM
If your user "ftpuser" does not own the directory then 700 will not permit that user to write to it when logged in via an ftp client. From the sounds of it, that might be the case. What does the output of 'ls -ld /home/ftp/ftpuser' report?

If it is not owned by ftpuser then you may try something like:
Code:
$ sudo chown ftpuser /home/ftp/ftpuser

$ sudo chmod 700 /home/ftp/ftpuser

linuxman2013 04-07-2013 02:48 AM
@rayfordj Now it actually works. I can r/w the to just the ftpuser directory! All I had to was execute the two cmds you listed.

Here's the oput of the ls -dl cmd before chmod/chown was invoked

Quote:
root@bt:/home# ls -ld
drwxr-xr-x 5 root root 4096 2002-03-04 00:43 .
root@bt:/home# dir
bkup ftp honeypot
root@bt:/home# cd ftp
root@bt:/home/ftp# ls -ld
drwxr-xr-x 3 root root 4096 2002-03-04 03:52 .
root@bt:/home/ftp# chown ftpuser /home/ftp/ftpuser
root@bt:/home/ftp# chmod 700 /home/ftp/ftpuser
root@bt:/home/ftp# ls -ld
drwxr-xr-x 3 root root 4096 2002-03-04 03:52 .
After excuting the cmd I still see the same attributes as root:

drwxx-------- 2 ftpuser root 4096 .....

I really have to brush up on chown and chmod. Its time to tackle SSL...thanks in advance Ray!

linuxman2013 04-07-2013 10:26 AM
Configuring SSL seems pretty trivial according to the docs online. I checked previous posts on this forum regarding the umask option, which apparently defines file permissions to uploaded files on the remote system. The default is 077. What difference does it make now that I'm NOT allowing anonymouse users? I want the same file permissions set on the remote machine. Would I have to change this particular attribute?

The docs also suggest connecting from port 20. I thought the default for FTP was port 21, unless passive mode is enabled to circumvent firewall settings on the remote machine. On my server, nmap localhost, shows that its set to port 21. Any idea why the suggested port 20?


All times are GMT -5. The time now is 06:52 PM.