Red Hat / WU-FTP

[djhawthorn]

I am running a Red Hat box with WU-FTP on it, and have two users - ftpadmin1 and ftpguest1, members of ftpadmin and ftpguest respectively. Both accounts have been setup the same way, with '/home/ftproot/./' as their home directory. The only difference is ftpadmin1 has access to read/write to /home/ftproot/ and ftpguest1 has only read access. Both accounts are ftp only (no telnet/shell login access).

The problem I'm having is with chroot(). When ftpguest1 logs in, he sees /home/ftproot/ as the root (/) folder. When ftpadmin1 logs in though, he sees /home/ftproot/ as /home/ftproot/, and can romp around the system and do damage. This I want to stop if possible by getting chroot() working for ftpadmin1 as well.

The /home/ftproot/ folder is owned by the root user, and the ftpadmin group. CHMOD'd 775 I think.

Any help would be appreciated.

 

[haneo]

First off all, be carfull !
the wu-ftpd < 2.6.1 is bugus and a craker can easelly do a chkroot exploit

i have excatelly the same problem, i am sure you have not followed all the stepes in this how-to:

http://www.wu-ftpd.org/HOWTO/guest.HOWTO

follow the steps one by oe ad you can resolve your problem like me ;-)

hope that help

 

[djhawthorn]

I am rebuilding the server on a new box with the latest version, and recreate the same problem I have above. I can modify it so the ftpadmin1 user is part of the &quot;guest&quot; user access group, rather than the &quot;real&quot; user access group (in which case the chroot() works), but the user won't be able to upload due to the access restrictions on the guest access users.

Is there any way to have a server that has:

- No anonymous access allowed
- A Guest user with read/download only permissions
- An Admin user with read/write/delete permissions
- Both users having chroot() to the /home/ftproot/ directory.

Note I want to avoid having an /incoming/ directory for incoming files - the admin user should be able to upload to anything under /home/ftproot/, and the guest user be able to download anything under there. Again, neither user should be able to descend down past the /home/ftproot/ folder.

 

[RhythmAce]

There is a program called WebMin that is a GUI that helps configure all your servers and admin your entire system in general. It makes it a lot easier when everything you have to edit and configure is all on one place. You can download it from

http://www.webmin.com

and can get it in either .rpm or the tarball.

 

[djhawthorn]

I dont have Gnome/KDE installed - doing everything text based.

I've worked out a way to do it - keep ftpadmin1/ftpadmin as a real user, then just use

restricted-gid ftpadmin

Which locks the user in their home directory.

 

[djhawthorn]

Another question: is there any way to disallow anonymous access (such that if you put in the user &quot;anonymous&quot;, it will disconnect you)?

At the moment I connect and it does the following:

User (ftpnone)): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
530 Login incorrect.
Login failed.

I have tried removing the anonftp RPM package, and also added the following lines to the ftpaccess file.

defaultserver private
defaultserver deny anonymous

But it still accepts 'anonymous' as a username. Any ideas?