I have looked at the sample scripts but i'm a newbie. Could some one tell me how to set up the following using my supplied proftpd.conf file? I want to set up a guest account with chroot and require a password. I don't want to run as anonymous. Also what files do i need to include into the /download dir in order for this to work?
Example 1-2.
File: proftpd.conf # This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server # and a single anonymous login. It assumes that you have a user/group # "nobody" and "ftp" for normal operation and anon. ServerName "ProFTPD Default Installation" ServerType standalone DefaultServer on # Port 21 is the standard FTP port. Port 21 # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 30 # Set the user and group that the server normally runs at. User nobody Group nogroup # Normally, we want files to be overwriteable. <Directory /*> AllowOverwrite on </Directory> # A basic anonymous configuration, no upload directories. <Anonymous ~ftp> User ftp Group ftp # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp # Limit the maximum number of anonymous logins MaxClients 10 # We want 'welcome.msg' displayed at login, and '.message' displayed # in each newly chdired directory. DisplayLogin welcome.msg DisplayFirstChdir .message # Limit WRITE everywhere in the anonymous chroot <Limit WRITE> DenyAll </Limit> </Anonymous>
Any method used to break out of a chroot() jail relies on the ".." path to the root directory being unbroken. The prevention method is to break the path of ".." directories at some point. The method used is to create a small partition at bootup which has its ".." link to its parent broken so that its effectively like "." using fsdb (FileSystem DeBugger). This partition has to be killed when the machine dies as having a contition where ".." points to the current directory gives fsck kittens when it runs.
This prevention method was developed by Carole Fennelly and her partner. Have a look at the August 1999 Security column of SunWorld Online for the article - see http://www.sunworld.com/sunworldonline/swol-08-1999/swol-08-security-2.html
I want users on group company to have DefaultRoot ~ And the rest of users have a customized DefaultRoot I've tried <VirtualHost ftp.company.com> <Limit LOGIN> DenyAll AllowGroup company </Limit> DefaultRoot ~ ... ... </VirtualHost> <VirtualHost ftp.client1.com> <Limit LOGIN> DenyAll AllowUser client1 </Limit> DefaultRoot /var/www/client1 ... ... </VirtualHost> <VirtualHost ftp.client2.com> <Limit LOGIN> DenyAll AllowUser client2 </Limit> DefaultRoot /var/www/client2 ... ... </VirtualHost> but 've no success, any help appreciated .
I know that you could send (and jail) user to a particular directory base on their GroupID by using the DefaultRoot Directive Ie. DefaultRoot ~ webusers Can you have more than one DefaultRoot define within the same domain, so user from Group - webusers will default (jail) to their own home directory, and another Group - fpusers will default to an empty directory (ie /home/blank)
Hi, I am trying to get a group of users with the same gid and seperate Unix accounts to have the same chroot'd directory. I have tried several methods and even get it to work with an <anon> block with a Group and several UserAlias directives but they all then use the primary User password and I want seperate passwords. Ideally what I need is: <Group unixgrp> DefaultRoot /usr/local/home/ftp/unixgrp </Group> whereas this chroot would only apply to members of this group. Any suggestions on accomplishing this? Thanks. Kyle Tucker wrote: > Hi, > I am trying to get a group of users with > the same gid and seperate Unix accounts to have the > same chroot'd directory. I have tried several methods > and even get it to work with an <anon> block with a > Group and several UserAlias directives but they all > then use the primary User password and I want seperate > passwords. Ideally what I need is: > > <Group unixgrp> > DefaultRoot /usr/local/home/ftp/unixgrp > </Group> Much simplier: DefaultRoot /usr/local/home/ftp/unixgrp unixgrp see also: http://www.proftpd.net/docs/configuration.html#DefaultRoot > > > whereas this chroot would only apply to members of this > group. > > Any suggestions on accomplishing this? Thanks. >
Way back when, Andreas Burkhardt wrote: > > Much simplier: > > DefaultRoot /usr/local/home/ftp/unixgrp unixgrp > > see also: > > http://www.proftpd.net/docs/configuration.html#DefaultRoot Yes, but this appears to work globally and I will need several different groups to work in this manner.
I've a problem with proftpd i couldn't solve myselft - hope you'll help me on this one. Proftpd is running fine, logging in is no problem. But my users are able to change from 'their' directory down do lower ones (even down to /). Well - I don't like that at all. I tried to 'fix' that by adding DefaultRoot ~ in proftpd.conf but the problem still exists. What might I do to change the situation? There is one more question: Does anybody know why proftpd is not in the list when I do ps -aux? I know that it is running.
DefaultRoot should do the trick, can you confirm version OS any special configs (such as LDAP, SQL, NFS etc etc) Also where are you editing the configuration? /etc/ or /usr/local/etc/
<side note> This appears to be a common problem, most users are expecting proftpd.conf to be in /etc/ not /usr/local/etc/. I'll add something into the FAQ in a moment (updating atm) about it.</sidenote> It might be worth symlinking the two files together. Check to see which file you're editing, it's possible that you're editing the wrong one. > There is one more question: Does anybody know why proftpd is not in the > list when I do ps -aux? I know that it is running.
Best guess, you're running in inetd mode which means that proftpd will only appear in the process list while there are active connections.
Now in an attempt (thinking dynamically) I tried /home/parent/*/upload/* and it seemed to work with two separate children. Was I just seeing things or does this really work?
With that I thought why not try to make the DefaultRoot dynamic too, I had individual lines for each one. I am using a separate password file. It failed...
YEs, ideally he should be using the system passwd file. If they're fake users, he can not allow them to login etc. BUT, what if the point is for security. Say for example, you're using FTP and SSH on your system (no telnet). Do you want someone to sniff your FTP password and be able to gain access to your shell? Why even bother with ssh?
A better one for you, when will proftpd support Require valid-user and AuthuserFile, in .ftaccess files? And within Anonymous hosts? Are there any particular reasons it does not? PS> What about the ability to toggle/rename Ftaccess file (same as Apache)? I chopped two together for this one...
> > Not chroot, but proftpd. > proftpd could getpwent if the root is ~/something. > This would then require that User be set... > > o _> > On Wed, Mar 29, 2000 at 12:24:15PM -0500, jason@iac.net wrote: > > > With that I thought why not try to make the DefaultRoot > > dynamic too, I had > > > individual lines for > > > each one. I am using a separate password file. It failed... > > > > > > Snipped from the log > > > USER parent: Login successful. > > > parent chroot("~/"): No such file or directory > > > I'd like you to explain to me how chroot(2) would know how > to expand tilde. ;-) >
First thing I am using a separate password file so technically the user doesn't have an account on the machine.
It looks like for DefaultRoot ~ To work properly the account needs to have an entry in the main password file. Then it logs the person in their home directory. Otherwise a line has to be in the config like... DefaultRoot /home/parent parent DefaultRoot /home/parent/child child To defaultroot the person to the proper directory if they are in a separate password file. It would be nice if proftpd could take the directory from the separate password file and default root them with that directory.
So to answer, perhaps..... If a separate password file is defined in the configuration and if "DefaultRoot ~" is set it should base the chroot off the users directory in that separate password file. Right now it doesn't look like it uses it for that. Unless I have just done something wrong and why I asked. My thought is why fuss with the actual config and not use what's set in the password file? That would allow for a dynamic config that chroot's with separate password files right? Jason Portwood - jason@iac.net Systems Administrator - Strategic/Internet Access Cincinnati Sales and Tech Support - 513-860-9052
When set to true, the chroot base directory becomes a subdirectory of the anonymous ftp directory, based on the username of the current user. For example, assuming user "foo" is aliased to "ftp", logging in as "foo" causes proftpd to run as real user ftp, but to chroot into ~ftp/foo instead of just ~ftp. This works as advertised; if I set my anon block like so: <Anonymous ~ftp> User ftp UserAlias source ftp UserDirRoot on ...