I have looked at the sample scripts but i'm a newbie. Could some one tell me how to set up the following using my supplied proftpd.conf file? I want to set up a guest account with chroot and require a password. I don't want to run as anonymous. Also what files do i need to include into the /download dir in order for this to work?
Example 1-1.
File: proftpd.conf # This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server # and a single anonymous login. It assumes that you have a user/group # "nobody" and "ftp" for normal operation and anon. ServerName "ProFTPD Default Installation" ServerType standalone DefaultServer on # Port 21 is the standard FTP port. Port 21 # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 30 # Set the user and group that the server normally runs at. User nobody Group nogroup # Normally, we want files to be overwriteable. <Directory /*> AllowOverwrite on </Directory> # A basic anonymous configuration, no upload directories. <Anonymous ~ftp> User ftp Group ftp # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp # Limit the maximum number of anonymous logins MaxClients 10 # We want 'welcome.msg' displayed at login, and '.message' displayed # in each newly chdired directory. DisplayLogin welcome.msg DisplayFirstChdir .message # Limit WRITE everywhere in the anonymous chroot <Limit WRITE> DenyAll </Limit> </Anonymous>
I was setting up proftpd at another ISP's site, and they wanted to chroot folks in their home directory (DefaultRoot ~) -but- have them start in a "webspace" subdirectory. The idea is that the move from their existing webserver setup (where they were immediately placed in their webspace when uploading) would be transparent, but they would have the ability of storing things outside of their webspace. I looked through the configuration directives, tried setting the home directory in passwd to /home/example/./webspace, etc., all to no avail. Any ideas? DefaultRoot ~ DefaultChdir ~/webspace
Any method used to break out of a chroot() jail relies on the ".." path to the root directory being unbroken. The prevention method is to break the path of ".." directories at some point. The method used is to create a small partition at bootup which has its ".." link to its parent broken so that its effectively like "." using fsdb (FileSystem DeBugger). This partition has to be killed when the machine dies as having a contition where ".." points to the current directory gives fsck kittens when it runs.
This prevention method was developed by Carole Fennelly and her partner. Have a look at the August 1999 Security column of SunWorld Online for the article - see http://www.sunworld.com/sunworldonline/swol-08-1999/swol-08-security-2.html
I want users on group company to have DefaultRoot ~ And the rest of users have a customized DefaultRoot I've tried <VirtualHost ftp.company.com> <Limit LOGIN> DenyAll AllowGroup company </Limit> DefaultRoot ~ ... ... </VirtualHost> <VirtualHost ftp.client1.com> <Limit LOGIN> DenyAll AllowUser client1 </Limit> DefaultRoot /var/www/client1 ... ... </VirtualHost> <VirtualHost ftp.client2.com> <Limit LOGIN> DenyAll AllowUser client2 </Limit> DefaultRoot /var/www/client2 ... ... </VirtualHost> but 've no success, any help appreciated .
I know that you could send (and jail) user to a particular directory base on their GroupID by using the DefaultRoot Directive Ie. DefaultRoot ~ webusers Can you have more than one DefaultRoot define within the same domain, so user from Group - webusers will default (jail) to their own home directory, and another Group - fpusers will default to an empty directory (ie /home/blank)
>>>>> "dwc" == Chan, Dominic <dwc@lubrizol.com> writes: dwc> I know that you could send (and jail) user to a particular dwc> directory base on their GroupID by using the DefaultRoot dwc> Directive dwc> Ie. DefaultRoot ~ webusers dwc> Can you have more than one DefaultRoot define within the same dwc> domain, so user from Group - webusers will default (jail) to dwc> their own home directory, and another Group - fpusers will dwc> default to an empty directory (ie /home/blank) Try it and see :-)
I have set up my Proftpd so that all users DefaultRoot to their ~/public_html directory for FTP'ing their web pages over. My problem is that I have 1 user that I would like to have DefaultRoot to their home directory, no just their public_html directory. Is there a way to accomplish this, to say everyone should be treated like this, except for this one user?
create a new group, add that user to it, add a !<that group> to the defaultroot directive, add a new defaultroot directive for that group (child's play?).
devon "James C. Montz" wrote: > > I have set up my Proftpd so that all users DefaultRoot to their > ~/public_html directory for FTP'ing their web pages over. > > My problem is that I have 1 user that I would like to have DefaultRoot to > their home directory, no just their public_html directory. > Is there a way to accomplish this, to say everyone should be treated like > this, except for this one user? > > Thanks!
Hi, I am trying to get a group of users with the same gid and seperate Unix accounts to have the same chroot'd directory. I have tried several methods and even get it to work with an <anon> block with a Group and several UserAlias directives but they all then use the primary User password and I want seperate passwords. Ideally what I need is: <Group unixgrp> DefaultRoot /usr/local/home/ftp/unixgrp </Group> whereas this chroot would only apply to members of this group. Any suggestions on accomplishing this? Thanks. Kyle Tucker wrote: > Hi, > I am trying to get a group of users with > the same gid and seperate Unix accounts to have the > same chroot'd directory. I have tried several methods > and even get it to work with an <anon> block with a > Group and several UserAlias directives but they all > then use the primary User password and I want seperate > passwords. Ideally what I need is: > > <Group unixgrp> > DefaultRoot /usr/local/home/ftp/unixgrp > </Group> Much simplier: DefaultRoot /usr/local/home/ftp/unixgrp unixgrp see also: http://www.proftpd.net/docs/configuration.html#DefaultRoot > > > whereas this chroot would only apply to members of this > group. > > Any suggestions on accomplishing this? Thanks. >
Way back when, Andreas Burkhardt wrote: > > Much simplier: > > DefaultRoot /usr/local/home/ftp/unixgrp unixgrp > > see also: > > http://www.proftpd.net/docs/configuration.html#DefaultRoot Yes, but this appears to work globally and I will need several different groups to work in this manner.
DefaultRoot can be used in <Virtual Host> context as well, which will not be global in scope.
I've a problem with proftpd i couldn't solve myselft - hope you'll help me on this one. Proftpd is running fine, logging in is no problem. But my users are able to change from 'their' directory down do lower ones (even down to /). Well - I don't like that at all. I tried to 'fix' that by adding DefaultRoot ~ in proftpd.conf but the problem still exists. What might I do to change the situation? There is one more question: Does anybody know why proftpd is not in the list when I do ps -aux? I know that it is running.
On Wed, 29 Dec 1999, Thomas Winkler wrote: > I've a problem with proftpd i couldn't solve myselft - hope you'll help me > on this one. Proftpd is running fine, logging in is no problem. But my users > are able to change from 'their' directory down do lower ones (even down to > /). Well - I don't like that at all. I tried to 'fix' that by adding > DefaultRoot ~
DefaultRoot should do the trick, can you confirm version OS any special configs (such as LDAP, SQL, NFS etc etc) Also where are you editing the configuration? /etc/ or /usr/local/etc/
<side note> This appears to be a common problem, most users are expecting proftpd.conf to be in /etc/ not /usr/local/etc/. I'll add something into the FAQ in a moment (updating atm) about it.</sidenote> It might be worth symlinking the two files together. Check to see which file you're editing, it's possible that you're editing the wrong one. > There is one more question: Does anybody know why proftpd is not in the > list when I do ps -aux? I know that it is running.
Best guess, you're running in inetd mode which means that proftpd will only appear in the process list while there are active connections.
pre10 running on FreeBSD 3.4-Stable.. I have been experimenting with the <directory> and DefaultRoot controls and I have a question.
I was setting up a directory structure to allow one parent account with several children accounts. Those children accounts would have an upload/download directory.
I won't bore you all with the whole config. But just the part for the base and the upload directory.
<Directory /home/parent/*> <Limit ALL> AllowUser parent DenyAll </Limit> <Limit RETR> AllowAll </Limit> <LIMIT CWD XCWD CDUP DIRS> AllowAll </Limit> </Directory> <Directory /home/parent/upload/*> <Limit STOR> AllowAll </Limit> <Limit RETR> AllowUser parent DenyAll </Limit> <Limit ALL> AllowUser parent DenyAll </Limit> <LIMIT CWD XCWD CDUP DIRS> AllowAll </Limit> </Directory>
Now in an attempt (thinking dynamically) I tried /home/parent/*/upload/* and it seemed to work with two separate children. Was I just seeing things or does this really work?
With that I thought why not try to make the DefaultRoot dynamic too, I had individual lines for each one. I am using a separate password file. It failed...
Snipped from the log USER parent: Login successful. parent chroot("~/"): No such file or directory
I'm guessing the separate file is the catch. I'd really like to keep the separate password file and have a dynamic default root. Is that possible to do?
YEs, ideally he should be using the system passwd file. If they're fake users, he can not allow them to login etc. BUT, what if the point is for security. Say for example, you're using FTP and SSH on your system (no telnet). Do you want someone to sniff your FTP password and be able to gain access to your shell? Why even bother with ssh?
A better one for you, when will proftpd support Require valid-user and AuthuserFile, in .ftaccess files? And within Anonymous hosts? Are there any particular reasons it does not? PS> What about the ability to toggle/rename Ftaccess file (same as Apache)? I chopped two together for this one...
> > Not chroot, but proftpd. > proftpd could getpwent if the root is ~/something. > This would then require that User be set... > > o _> > On Wed, Mar 29, 2000 at 12:24:15PM -0500, jason@iac.net wrote: > > > With that I thought why not try to make the DefaultRoot > > dynamic too, I had > > > individual lines for > > > each one. I am using a separate password file. It failed... > > > > > > Snipped from the log > > > USER parent: Login successful. > > > parent chroot("~/"): No such file or directory > > > I'd like you to explain to me how chroot(2) would know how > to expand tilde. ;-) >
First thing I am using a separate password file so technically the user doesn't have an account on the machine.
It looks like for DefaultRoot ~ To work properly the account needs to have an entry in the main password file. Then it logs the person in their home directory. Otherwise a line has to be in the config like... DefaultRoot /home/parent parent DefaultRoot /home/parent/child child To defaultroot the person to the proper directory if they are in a separate password file. It would be nice if proftpd could take the directory from the separate password file and default root them with that directory.
So to answer, perhaps..... If a separate password file is defined in the configuration and if "DefaultRoot ~" is set it should base the chroot off the users directory in that separate password file. Right now it doesn't look like it uses it for that. Unless I have just done something wrong and why I asked. My thought is why fuss with the actual config and not use what's set in the password file? That would allow for a dynamic config that chroot's with separate password files right? Jason Portwood - jason@iac.net Systems Administrator - Strategic/Internet Access Cincinnati Sales and Tech Support - 513-860-9052
Not chroot, but proftpd. proftpd could getpwent if the root is ~/something. This would then require that User be set...
DefaultChdir -- where users are dropped after login UserDirRoot -- this is sort of strange; here's from the old Changes-1.2.0pre3:
When set to true, the chroot base directory becomes a subdirectory of the anonymous ftp directory, based on the username of the current user. For example, assuming user "foo" is aliased to "ftp", logging in as "foo" causes proftpd to run as real user ftp, but to chroot into ~ftp/foo instead of just ~ftp. This works as advertised; if I set my anon block like so: <Anonymous ~ftp> User ftp UserAlias source ftp UserDirRoot on ...
and have a 'source' directory off ~ftp, logging in as 'source' acts like regular anon ftp and chroots me to ~ftp/source I'm just not sure what the purpose of this is -- is it a convenience thing? Why the chroot? Anyone have any ideas?
also: DisplayReadme was missing a </strong>, so the rest of the doc was bolded...
It must be a Monday morning because I forgot to include some of the /etc/svc.conf contents as per my previous post. Here's the whole thing:
Example 1-2. Sample svc.conf file
# WARNING: This file is MANDATORY ! # # Setup recommendation: As you add distributed services to database # entries, it is recommended that "local" is the first service. # For example: # passwd=local,yp # # Note: White space allowed only after commas or newlines. # # File Format # ----------- # database=service,service # # The database can be: # aliases # group # hosts # netgroup # networks # passwd # protocols # rpc # services # The service can be: # local # yp # bind (hosts ONLY) # aliases=local group=local hosts=local,bind,yp netgroup=local networks=local passwd=local protocols=local rpc=local services=local SECLEVEL=BSD # for backwards compatibility ONLY
I have installed ProFTP and it's great, but when I try to "jail" in an ftp user to their home directory, they are not able to execute any commands upon logon. Here's a sample log of what happens when I try to logon as "test" who is a user in the ftponly group (see ftpaccess file below) 331 Password required for test. Password: 230 User test logged in. ftp> dir 200 PORT command successful. getsvc: stat of /etc/svc.conf failed ftp> pwd getsvc: stat failed: No such file or direc getsvc: stat of /etc/svc.conf failed getsvc: stat failed: No such file or direc 150 Opening ASCII mode data connection for ftp> pwd 226 Transfer complete. 257 "/" is current directory. ftp> dir 200 PORT command successful. getsvc: stat of /etc/svc.conf failed ftp> My /etc/ftpaccess file is as follows: class all real,guest,anonymous * guestgroup ftponly limit all 10 Any /etc/msgs/msg.dead message /welcome.msg login message .message cwd=* compress yes all tar yes all log commands real log transfers anonymous,real inbound,outbound shutdown /etc/shutmsg Any idea on what might be preventing ftponly users from using standard ftp commands?
Offhand, I'd say that you're running an ftp daemon other than the one that this mailing list is for (since you mention an ftpaccess file, maybe you're running wu-ftpd?). I don't think the info below corresponds to what you would see if you were running the ProFTPd server.
Aside from that, I'd guess that you need a /etc/svc.conf file (whatever that is) in your "jail" if you continue to use that other ftpd. Otherwise, you might want to check your /etc/inetd.conf to make sure that it's got the right ftpd binary mentioned in there? Or, check your 'ps' output to see if you're running some other ftpd?
Oops, I apologize. I was quoting the wrong configuration file, but the problem still exists. I am running proftpd with my configuration file in /usr/local/etc/proftpd.conf running on a digital unix server.
Example 1-3. proftpd.conf
ServerName "StreetViews FTP Server." ServerType inetd Displayconnect /etc/ftpbanner ServerIdent on "FTP Server Ready. Logging enabled." Identlookups off Extendedlog /var/adm/proftpd.log AuthUserFile /etc/passwd DefaultRoot ~ ftponly Port 21 Umask 022 MaxInstances 10 User nobody Group nogroup
All regular users have full FTP access and it works great but any users who are in the ftponly unix group should be chrooted to their home directory as I stated above. But if they try to run any commands, I get errors like this:
>331 Password required for test. > Password: > 230 User test logged in. > ftp> dir > 200 PORT command successful. > getsvc: stat of /etc/svc.conf failed I'm not sure what /etc/svc.conf does, but here are the contents: # WARNING: This file is MANDATORY ! # # Setup recommendation: As you add distributed services to database # entries, it is recommended that "local" is the first service. # For example: # passwd=local,yp # # Note: White space allowed only after commas or newlines. # # File Format # ----------- # database=service,service # # The database can be: # aliases # group # hosts # netgroup # networks # passwd # protocols # rpc # services # The service can be: # local # yp
All lines are commented out so I'm not sure what the file is actually used for, but it seems to be interfering with proftpd but only when users are being chrooted to their home directory through the "ftponly" group membership. Anbody know what might be going on?
Thanks, Chris. > -----Original Message----- > From: Scott Blachowicz [SMTP:Scott.Blachowicz@seaslug.org] > Sent: Thursday, February 03, 2000 3:22 PM > To: ckirby@streetviews.com; proftpd@proftpd.net > Subject: Re: chroot / home directories > > Offhand, I'd say that you're running an ftp daemon other than the one that > this mailing list is for (since you mention an ftpaccess file, maybe > you're > running wu-ftpd?). I don't think the info below corresponds to what you > would > see if you were running the ProFTPd server. > > Aside from that, I'd guess that you need a /etc/svc.conf file (whatever > that > is) in your "jail" if you continue to use that other ftpd. Otherwise, you > might want to check your /etc/inetd.conf to make sure that it's got the > right > ftpd binary mentioned in there? Or, check your 'ps' output to see if > you're > running some other ftpd? > > Scott.Blachowicz@seaslug.org >
Have you tried putting a copy of /etc/svc.conf into "etc/svc.conf" under one of the chroot'd "jails"? I'm new enough to using proftpd and don't have any recent experience with Digital Unix to know, for sure, what might be going on. It sounds like it's making some system call that expects to be able to look something up in that /etc/svc.conf file, but it's chroot'd to a directory tree that doesn't have such a file.