[prev in list] [next in list] [prev in thread] [next in thread]
List: wuftpd-questions
Subject: RE: cannot download files
From: "James R. Hendrick" <hendrick () keane-nne ! com>
Date: 2003-05-22 18:41:57
[Download RAW message or body]
Yeah. It took me quite a bit of trial and error to get things to work...
So if I have it right...
The test1 user has a home in the system /etc/passwd of /home/ftpusers/test1
guest-root is /home/ftpusers
and there is a root structure at /home/ftpusers/ (etc, usr, bin, lib, and all...)
test1's home in /home/ftpusers/etc/passwd is /test1
and you have these folks running "restricted" so they cannot "cd .." from their \
homes.
When test1 logs in, I assume you can see the upload and download dirs only.
The error on downloads is probably a subtle syntax thing.
The other error:
> 230 User test1 logged in. Access restrictions apply.
> ftp> put junk9
> 200 PORT command successful.
> 550 Permission denied on server. You are restricted
> to your account.
looks odd. It is almost as if somehow the upload is trying to put the file outside \
the users home... Here is my directory structure with /var/ftpusers/ as guest-root
apptest1 >cd /var/ftpusers
apptest1 >ls -al
total 12
drwxr-xr-x 8 root sys 1024 May 15 12:01 .
dr-xr-xr-x 27 bin bin 1024 May 15 11:41 ..
-r-------- 1 root sys 0 May 15 11:43 .notar
-r-------- 1 root sys 0 May 15 11:43 .rhosts
d--x--x--x 2 root sys 96 May 15 11:48 bin
d--x--x--x 2 root sys 1024 May 20 11:02 etc
drwxr-xr-x 4 testftp ftpusers 1024 May 15 11:57 testftp
d--x--x--x 4 root sys 96 May 15 11:43 usr
apptest1 >ls -al testftp
total 4
drwxr-xr-x 4 testftp ftpusers 1024 May 15 11:57 .
drwxr-xr-x 8 root sys 1024 May 15 12:01 ..
-r-------- 1 root sys 0 May 15 11:43 .notar
-r-------- 1 root sys 0 May 15 11:43 .rhosts
drwxr-xr-x 2 root sys 96 May 15 11:43 downloads
drwxr-xr-x 2 testftp ftpusers 96 May 15 12:06 uploads
Note that I have the downloads not owned/writable by the user. (in case the no-upload \
configuration fails)
Again, here is the end of my ftpaccess file (that controls up/down load)
# now we control where they can [up|down]load
# by default they should not be able to retrieve anything
noretrieve relative class=guest *
# but we want them to be able to retrieve from their own downloads area
# Note: this line actually allows them to download from *any* download area
# before go-live we should probably specify individual lines for each user
allow-retrieve absolute class=guest /var/ftpusers/*/downloads/*
# here we prevent uploads specifically to the base of the chroot() ftp area
upload /var/ftpusers/* / no
upload /var/ftpusers/* /bin no
upload /var/ftpusers/* /usr no
upload /var/ftpusers/* /etc no
Note, the above should not be needed using restricted-uid, but I want to be sure...
# and then put in a catch-all to prevent uploads for all guests to anywhere
upload class=guest /var/ftpusers/* * no
# only here we allow them to upload to their own uploads area
# similar to downloads (allow-retrieve above) we should make specific entries
# for each individual user so if restricted-uid failed, they could not
# get at anything in other user areas.
upload class=guest /var/ftpusers/* /*/uploads yes * * * nodirs
This last line is key... The "* * *" between "yes" and "nodirs" are needed to prevent \
"mkdir" in their uploads area. Note that this is a tricky syntax, because the first \
directory part, the "/var/ftpusers/*" is parsed *before* the chroot happens... The \
next one, the "/*/uploads" takes place *after* the chroot and DOES NOT refer to the \
USERS home, but to the guest-root! (hence the /*/ handles all directories one below \
the guest-root, and only the restricted-uid and the file permissions prevent this \
from allowing upload to <guest-root>/etc/ !!!!) I strongly recommend if you have only \
a few users, that you create individual lines for each one to avoid this.
I hope this helps. It really does work, it just is not obvious...
Jim
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic