Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ProFTPd problem 1

Status
Not open for further replies.
Donboy

Donboy

IS-IT--Management
Aug 20, 2002
73
US
Ok, I have read countless posts about this subject on several different websites, and I have also read the documentation on this too, but to no avail.

Here are my problems:

First, I want to eliminate anonymous logins and have the users login with specific usernames/passwords. The documentation is pretty vauge about this, saying that I only need to remove the <anonymous> statements from the config file. I have done this, but unfortunately I can still login anonymously and see the &quot;pub&quot; directory.

Second, I want to jail my users to their home directories. The documentation and many other forums have said that I only need to include the DefaultRoot ~ parameter to the config file, but that's not working either.

My users are all part of the &quot;MyUsers&quot; group. Their home directories are all chmod 755 and each of their directories are part of the &quot;MyUsers&quot; group. (Don't know if this helps, but I've found that ownership and permissions play a bigger role in ProFTPd than I had originally thought.)

Here is my config file. Any help and or advice here would be good. Commented lines removed for clarity.

ServerName &quot;FTP Server&quot;
ServerType standalone
DefaultServer on
RequireValidShell off
TimeoutStalled 1000
Port 21
Umask 022
MaxInstances 30
User nobody
Group nobody
<Directory /*>
AllowOverwrite on
</Directory>
DefaultRoot ~
DirFakeUser on ~
DirFakeGroup on ~
DefaultChdir ~/home
 
Sort by date Sort by votes
Ok, I think we're finally getting somewhere. :D I installed the new version and added the testuser, added him to the (etc, etc). Now I can login with the testuser info and I'm locked into the var/ftp folder. I can also login using the other ID's I've created and they work the same way. So high-fives all around!

Question: Can I remove the stuff I unzipped to /usr/local/src? I assume so, but wanted to make sure we were really done with it.

You asked if I definitely had a version of Red Hat installed. I can say without a doubt that I do! :D I bought it at Office Depot a couple of weeks ago. And yes, there are 2 other people who have access to this machine as root. I was pretty sure they wouldn't do anything to the machine because the box is supposed to be under my supervision, but I will check just to be sure. Maybe somebody else installed proftpd or changed something while I was gone. I'll check tomorrow, but I really doubt it.

I think before we proceed, you probably will want to know what my overall objectives are.

First, I want to have all of my users able to login with their usernames and passwords and only be able to (1) write to their home directory (2) be able to chdir up one level and see the /home directory and then be able to chdir into each of the other user's directories and be able to view or download their files.

If we accomplish this with user groups or permissions or whatever, it doesn't bother me how we do it... so long as I understand how we did it and can make changes easily without having to bug you again. ;)

Second, I want to be able to login to the server myself and have write access to any files on the directory structure. I have heard that loggin in as root is a bad idea, so if you have some idea of how I can make a user ID that will have write permissions to each of the home directories, that would be fine too.

Man, I'm getting psyched now that we're actually getting somewhere. I was starting to lose hope.
 
Upvote 0 Downvote
You can remove the source tree in /usr/local/src if you don't need it anymore. I usually keep it in case I need to recompile, but its up to you.

Just change /var/ftp to /home and run...

chmod 750 /home -R
chown . /home -R

Make sure that each user owns his/her home directory.

You don't want to log in as root over an insecure protocol such as FTP. I also don't recommend allowing access to the entire filesystem via FTP, but if you really want to do it, then you have two options. You can have separate DefaultRoot's based on what group the user belongs to, or you can run two virtual servers, one running on port 21 and the other running on some other port. I would do the virtual server thing.

Why do you want access to the entire filesystem via FTP? I would use scp (secure copy) or sftp (secure FTP) instead. Its much safer. Both are included with OpenSSH and might already be installed.

ChrisP
 
Upvote 0 Downvote
Ok, we're in business now! Everything works very well.

I want to be able to access the filesystem over FTP because I need a way to manipulate everything remotely because I'm always back and forth between different locations all the time and it would be nice to be able to download, modify and upload files over the wire... especially the various config files like the one for ProFTPd. I'm going to be changing this a lot over the next few months as we get everything sorted out that we want it to be able to do. If you know another way I can download and modify files remotely, I'm always open to suggestions.

How will running on a different port help? Won't I still be vulnerable to those people with port scanners who can see what ports are open???

I assume sftp is simply sending my root password over the wire securely?? Is that all it's really doing?

Another question: Do I need to keep the user &quot; around?? I think the only reason I have him is because the config file is running as &quot; Can I choose something else and remove this bogus user from the system? Or do I need to keep him there just for this purpose?
 
Upvote 0 Downvote
You can use any user you want to run ProFTPd with. Same goes for the group.

Your not going to run the virtual server on a different port for security reasons, your going to do it so that you can have 2 separate configs, one with a DefaultRoot of /home and one with a DefaultRoot of /.

They have example VirtualHost configs on proftpd.org's website...


ChrisP

If a member's post was helpful to you, please let them know by marking their post with a purple star.
 
Upvote 0 Downvote
One other question: Why did we change the umask to 007? If I understand it correctly, it means the files created have a tighter permissions than they would if I left it set for 022 like it was before. Is that correct?

I'll try to setup the virtual server thing myself. Your help has been excellent and I don't want to abuse it. ;) But if I get really stuck, I'll post another thread.

Thanks for all your help, and I have recommended this thread as an expert post. I know the stuff I was asking for was pretty easy for most people, but you really helped me overcome the learning curve, so I thank you for that.
 
Upvote 0 Downvote
Errr.... hmmm.. I thought that expert post thing was for the whole thread. I didn't realize that was just for individual posts. Actually the one that helped me the most was your step by step instructions on how to install (it was the one you posted under the wrong ID). I'm going to mark that one expert instead.

Thanks again.
 
Upvote 0 Downvote
Don't mark the nix45 post, it was supposed to be posted under my username. I forgot to log off before posting.

The umask setting of 007 will mark all new files with 770 perms. Actually, with your new config, you should use 027 so that new files are created with 750 permissions. When setting a umask setting, subtract 777 (for directories) or 666 (for files) from the umask bit to find out what the actual permissions will be set to. If your umask bit is set to 027, then new directories will be set to 750, and new files will be set to 640.

If you can't get the VirtualHosts working, start a new thread (its a new issue) and me or someone else will gladly help you out. This thread is long enough:)

Good luck,
ChrisP

 
Upvote 0 Downvote
Hey Chris, just wanted to let you know a follow up:

When we first looked at my config file, you mentioned something about the star after one of my pathnames. I found the reason this was included. I got it from the proftpd site!


Look about half-way down and you'll see...

<Directory /*>

Do you think this was a mistake on their part? Or should I have the star included?

Also, I did find that there was another admin person who had logged on the machine while I was away and installed proftpd (a slightly older version) using a tar file. So that's why my installation was so hosed when I started asking for help.

Anyway, I'm the only admin now, so it's all good.
 
Upvote 0 Downvote
You don't need the * or a trailing /. When you specify a directory with the <Directory> directive, it automatically includes any files or sub-folders beneath that folder.

Chris
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

TSch
  • Locked
  • Question
Problem with NFS automount
Replies
1
Views
93
iggsterman
iggsterman
Agent0007
  • Locked
  • Question
Problem Configuring Kerberos
Replies
0
Views
102
Agent0007
Agent0007
ady2012
  • Locked
  • Question
Roundcubemail-1.1.4-2 problem in Scientific linux 7 /Centos 7
Replies
0
Views
63
ady2012
ady2012
audiopro
  • Locked
  • Question
.htaccess problem
Replies
6
Views
100
audiopro
audiopro
southbeach
  • Locked
  • Question
Problem accessing myphpadmin after installing ISPconfig 3.0
Replies
1
Views
77
southbeach
southbeach

Part and Inventory Search

Sponsor

Back
Top