LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 11-05-2003, 12:00 AM   #1
ntloser
Member
 
Registered: Oct 2003
Posts: 56

Rep: Reputation: 15
Vsftpd


Hi,

I set up vsftpd each user goes directly into their home directory and cannot access other "home" directorys. I noticed users can browse other areas like bin and etc, infact they can get the complete listing from the root of the drive.

I tried changing all the the users to the FTP group but they are still able to browse other folders....although they cannot modify anything

How do I lock it down more?

Any Ideas? thanks

here is the vsftp log

# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are very paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
#
# Allow anonymous FTP?
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES

pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES

Last edited by ntloser; 11-05-2003 at 12:13 AM.
 
Old 11-05-2003, 12:24 AM   #2
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
Hey,

I had the same question earlier too...

The answer to your problems is this, add a new line:
chroot_local_users=YES

Regards and don't forget to search next time.
 
Old 11-05-2003, 12:40 AM   #3
Bluesuperman
Member
 
Registered: Nov 2002
Distribution: Slackware
Posts: 155

Rep: Reputation: 30
You need to enable the option:

# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list

This config option says "change the root evironment for users when they login", which means that when the users logs into the FTP server their home directory becomes the root ( top of the file system tree) for them. So since they can not go up a directory -- they are stuck there.

I have never heard of VSftp -- you may want to look at Proftpd -- it may offer more options and security.
 
Old 11-05-2003, 12:48 AM   #4
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
Whoa... easy there.

What we've said is different but has a similar net effect
Jordan's method
Default: ALL users are locked into home directories
Exceptions: /etc/vsftpd.chroot_list can browse the entire directory tree.

Superman's method
Default: ALL users can browse directory tree
Exceptions: /etc/vsftpd.chroot_list are locked into the home directory.

Please consider this when planning your configuration.
 
Old 11-05-2003, 12:59 AM   #5
ntloser
Member
 
Registered: Oct 2003
Posts: 56

Original Poster
Rep: Reputation: 15
Thanks for all your replies


I chose Jordans method because I don't want any FTP user to access the entire directory tree. I am also going to look into Supermans suggestion and check out proftpd

Last edited by ntloser; 11-05-2003 at 01:06 AM.
 
Old 11-05-2003, 01:15 AM   #6
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
I've never used proftpd, although I've heard of it, and am not advocating vsftpd but from the vsftpd website (http://vsftpd.beasts.org/) they say these sites use vsftpd... some big names.

ftp.redhat.com
ftp.suse.com
ftp.debian.org
ftp.gnu.org
ftp.gnome.org
ftp.kde.org
rpmfind.net
ftp.linux.org.uk
ftp.gimp.org
ftp-stud.fht-esslingen.de
ftp.openbsd.org
gd.tuwien.ac.at
ftp.sunet.se
ftp.ximian.com
ftp.engardelinux.org
 
Old 11-05-2003, 01:22 AM   #7
ntloser
Member
 
Registered: Oct 2003
Posts: 56

Original Poster
Rep: Reputation: 15
wow cool.. those are some big sites.. I only have a couple people logging in and am limited to 256k up.


The only features I am hoping to find are;

real time logging seeing who is loggged in and what they are doing

bandwidth throttling. limiting each user or even the service itself to say 128k up
 
Old 11-05-2003, 03:14 AM   #8
rubyrat
LQ Newbie
 
Registered: Sep 2003
Location: Leeds, UK
Distribution: Debian, Redhat, Mandrake, Gentoo
Posts: 16

Rep: Reputation: 0
I implemented vsftp 2 years ago and we have had to date 0 intrusions despite several attempts.
It is still best to check those logs though and vsftp's site just in case.
 
Old 11-05-2003, 05:32 AM   #9
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
I am also running vsftpd on a couple of hosts and it is not only great in security but also performance and configurability. Just everythign you ask for: http://www.markus-welsch.de/linux/services/ftp.html
 
Old 11-05-2003, 07:15 AM   #10
usernamenumber
Member
 
Registered: Sep 2003
Location: Somerville, MA
Distribution: Fedora/RHEL currently. Red Hat, Slackware, Debian, SuSe and Mandrake at other times
Posts: 104

Rep: Reputation: 15
virtual hosts (OT)

Since there seem to be some experienced vsftpd people on this thread, let me throw out something that's been bugging me for a bit:

My only complaint about vsftpd is that the methods they suggest in the faq for doing ftp virtual domains is kludgey at best (set up a xinetd instance for each vhost???).

While I appreciate the security benefits of vsftpd, setting a system up so that anon ftp to ftp.domain1.com and ftp.domain2.com went to different directories was pretty easy using wuftpd. Have I missed something or can vsftpd just no do this in a simple way?
 
Old 11-05-2003, 07:54 AM   #11
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
Well your configuration benefit using Wu-ftpd would be
a) serious exploits
b) low performance

If you are just hosting a couple of small sites this *might* be acceptable by yourself. However when hosting sites where security, performance, stability is a *must* you should consider a secure alternative to wu-ftpd (look back at it's poor security history).

anon ftp for 2 different domains with 2 different directories would work with 2 different ip addresses or ports afaik.
 
Old 11-05-2003, 09:36 AM   #12
cartridge
Member
 
Registered: Sep 2003
Location: BRAZIL
Distribution: Slackware 9.0.0
Posts: 31

Rep: Reputation: 15
Hei man vsftpd just SUX go for pure-ftpd ( http://www.pureftpd.org )
TLS, chroot, upscript, and very easy configuration, i've been useing it for more than a year and i got no complains.
Hope i've been usefull
 
Old 11-05-2003, 10:07 AM   #13
usernamenumber
Member
 
Registered: Sep 2003
Location: Somerville, MA
Distribution: Fedora/RHEL currently. Red Hat, Slackware, Debian, SuSe and Mandrake at other times
Posts: 104

Rep: Reputation: 15
Quote:
Originally posted by markus1982
Well your configuration benefit using Wu-ftpd would be
a) serious exploits
b) low performance
I realize that and I'm not planning on switching back or anything, it just bugs me that this particular feature seems to have been ignored by vsftpd.

Quote:
Originally posted by markus1982
anon ftp for 2 different domains with 2 different directories would work with 2 different ip addresses or ports afaik. [/B]
But that involves running and managing a seperate daemon for each vhost. With any significant number of vhosts, that will become a serious pain, not to mention a huge waste of resources. Using two IPs and two xinetd configs is the way that the vsftpd FAQ reccomends, btw. That would at least cut down on the use of system resources unless your system is busy and then you've got a heavily accessed service being run by xinetd, which is bad mojo. =:\

I was basically just asking if anybody knew a better workaround or knew if any real vhost support was in the works.
 
Old 11-05-2003, 12:01 PM   #14
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
Quote:
Originally posted by cartridge
Hei man vsftpd just SUX go for pure-ftpd ( http://www.pureftpd.org )
TLS, chroot, upscript, and very easy configuration, i've been useing it for more than a year and i got no complains.
Hope i've been usefull
Well why do you think it does suck ?
I have to admit though that a quick review of pure-ftpd website was impressing (features); since I did not review the code though I will not be trusting it. vsftpd is for sure being used on a couple of pretty big sites - and also on openbsd.org ...

Last edited by markus1982; 11-05-2003 at 12:07 PM.
 
Old 11-05-2003, 12:04 PM   #15
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
Quote:
I realize that and I'm not planning on switching back or anything, it just bugs me that this particular feature seems to have been ignored by vsftpd.
Well if you do not care for security at all you have nothing to loose. Just also leave the front door of your house open and trust each and every person ...
Quote:
But that involves running and managing a seperate daemon for each vhost. With any significant number of vhosts, that will become a serious pain, not to mention a huge waste of resources. Using two IPs and two xinetd configs is the way that the vsftpd FAQ reccomends, btw. That would at least cut down on the use of system resources unless your system is busy and then you've got a heavily accessed service being run by xinetd, which is bad mojo. =:\
Well that is true, it also could be done the xinetd way. However the problem is not vsftpd, the problem is in the nature of the ftp protocol. In HTTP/1.1 there is a Host-param that is used for virtual hosting; FTP does not have such a param. So running 2 anon ftp's will have to be done with or without xinetd.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftpd settingd and VSFTPD DEAD BUT SUBSYS LOCKED pc_copat Linux - Newbie 15 11-05-2009 10:31 PM
VSFTPD:How to have vsftpd ask for anon user to "send email for password"? dmurray8888 Linux - Networking 1 08-31-2008 06:04 PM
vsftpd.conf/chroot/vsftpd.chroot_list issue Jerman Linux - Security 2 06-01-2007 07:24 PM
vsftpd, web uploads, vsftpd virtual users, apache virtual hosts, home directories jerryasher Linux - Software 7 02-18-2007 06:29 AM
VSFTPD with 500 oops :vsftpd: missing argv[0] mole_13 Linux - Newbie 0 05-04-2005 01:05 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 09:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration