l***@gmx.de
2011-08-17 14:04:10 UTC
Hello!
Sorry for the incomplete previous mail - I had too thick fingers :-(
I´m running a proftpd 1.3.3e with modules mod_sql:mod_sql_mysql:mod_tls:mod_shaper:mod_ifsession and MySQL backend with virtual users.
On this server there is also a net2ftp installed so I can access the ftp server with http.
There is a folder structure where an administrative user can log in; in the home directory of this user are subfolders that are the home folders of other, restricted users. In the home folders of these restricted users is a folder structure given by the administrative user that should not be changed by the restricted user; however, the restricted user can go into these directories and create subfolders and up-/download files. All this is configured with ftpaccess files.
Now the strange thing is: if I access a restricted users account with FileZilla, everything is working fine as it should (both restrictions and permissions). If I use the net2ftp (that only connects by ftp as the filezilla does), the restricted user can create subfolders, but can not create subfolders in new created subfolders, nor upload files into new created subfolders. If I remove the .ftpaccess in the home directory of the administrative user, he can. So this is a ftpaccess related issue, but how can it be that for FileZilla everything is working, for net2ftp not?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/srv/ftp/:
<Limit WRITE>
AllowUser Admin
DenyAll
</Limit>
<Limit DIRS READ>
AllowAll
</Limit>
-----------------
/srv/ftp/ftpsite/subsite/admin/:
<Limit WRITE>
AllowUser Admin
AllowUser Admin2
AllowUser Admin3
DenyAll
</Limit>
<Limit DIRS READ>
AllowAll
</Limit>
---------------
/srv/ftp/ftpsite/subsite/admin/subfolder_L1/subfolder_L2/subfolder_L3/:
<Limit WRITE DIRS READ>
AllowAll
</Limit>
**********************
Admin user has his homedir in /srv/ftp/ftpsite/subsite/admin
restricted user has his homedir in /srv/ftp/ftpsite/subsite/admin/subfolder_L1 and should only be able to write and delete below ../subfolder_L3.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
my proftpd.conf:
==========
ServerName "Myserver"
ServerAdmin ***@mydomain
ServerType standalone
DefaultServer on
Port 21
UseIPv6 off
Umask 022
MaxInstances 30
User proftpd
Group proftpd
DefaultRoot ~
AllowOverwrite on
<Limit SITE_CHMOD>
DenyAll
</Limit>
PidFile /var/run/proftpd.pid
MaxConnectionRate 4
SocketBindTight off
RootRevoke on
MultilineRFC2228 on
PassivePorts 2000 8000
<IfModule mod_delay.c>
DelayEngine off
DelayTable /var/run/proftpd/proftpd.delay
</IfModule>
<IfModule mod_tls.c>
TLSProtocol SSLv23
</IfModule>
SystemLog /var/log/proftpd/proftpd.log
TransferLog none
LogFormat awstats "%t %s %m %u %h[%a] %f Bytes: %b"
ExtendedLog /var/log/proftpd/xferlog read,write awstats
UseReverseDNS on
<Global>
ServerIdent on "FTP Server ready"
DeferWelcome on
IdentLookups off
RequireValidShell off
UseFtpUsers off
TimeoutLogin 60
TimeoutIdle 300
TimeoutNoTransfer 180
TimeoutStalled 600
MaxLoginAttempts 3
MaxClients 20 "Sorry, the maximum number of users (%m) is connected."
MaxClientsPerUser 15 "Sorry, the maximum number of logins for this user (%m) is reached."
MaxClientsPerHost 5 "Sorry, you are only allowed to have 5 parallel connections!"
MaxHostsPerUser 15 "Sorry, the maximum number of accessing hosts (%m) for this user is reached."
<IfModule !mod_sql.c>
AuthOrder mod_auth_unix.c
<Limit LOGIN>
DenyGroup !****
</Limit>
</IfModule>
<IfModule mod_sql.c>
AuthOrder mod_sql.c
SQLConnectInfo ******* ********* ********
SQLUserInfo users userid passwd uid gid homedir shell
SQLAuthTypes Backend
SQLAuthenticate users
SQLMinUserUID 30
SQLMinUserGID 8
SQLNegativeCache on
SQLLOGFILE /var/log/proftpd/proftpd.sql.log
</IfModule>
<IfModule mod_tls.c>
TLSEngine on
TLSRequired on
TLSRSACertificateFile /path/to/host.crt
TLSRSACertificateKeyFile /path/to/host.key
TLSOptions NoCertRequest NoSessionReuseRequired
TLSVerifyClient off
TLSTimeoutHandshake 300
TLSRenegotiate none
TLSLog /var/log/proftpd/proftpd-tls.log
</IfModule>
DenyFilter \*.*/
ListOptions +R strict
UseGlobbing off
AllowOverwrite on
AllowRetrieveRestart on
DeleteAbortedStores on
WtmpLog off
<Directory /srv/ftp>
AllowOverride on
HideFiles "(.ftpaccess|.htaccess)$"
</Directory>
<Limit SITE_CHMOD>
DenyAll
</Limit>
</Global>
================================================================
Here are logfiles of exactly the same things: create a directory at the lowest level and upload a file into this new directory.
With FileZilla:
---------------
[17/Aug/2011:11:47:51 +0200] 257 MKD USER1 client.mydomain.org[66.55.44.33] /srv/ftp/ftpsite/subsite/admin/subfolder_L1/subfolder_L2/subfolder_L3/test Bytes: -
[17/Aug/2011:11:48:05 +0200] 226 STOR USER1 client.mydomain.org[66.55.44.33] /srv/ftp/ftpsite/subsite/admin/subfolder_L1/subfolder_L2/subfolder_L3/test/LinuxVollwaschmittelPackung.jpg Bytes: 216247
With net2ftp:
-------------
[17/Aug/2011:11:48:43 +0200] 257 MKD USER1 ftpserver.mydomain.org[127.0.0.2] /srv/ftp/ftpsite/subsite/admin/subfolder_L1/subfolder_L2/subfolder_L3/test Bytes: -
[17/Aug/2011:11:49:10 +0200] 550 STOR USER1 ftpserver.mydomain.org[127.0.0.2] - Bytes: -
The net2ftp gives an error message:
[Wed Aug 17 11:49:10 2011] [error] [client 66.55.44.33] PHP Warning: ftp_put(): /subfolder_L2/subfolder_L3/test/LinuxVollwaschmittelPackung.jpg: Operation not permitted in /srv/www/vhosts/webftp/html/main/includes/filesystem.inc.php on line 1283
I think this is just because ProFTPd denies the FTP PUT. No further hint in the logs...
So strange...
Is there a difference in .ftpaccess / Directory permission handling of ProFTPd if the access is from localhost or from external??
Any help appreciated because I have to have it running on Friday :-(
Best,
Andreas
Sorry for the incomplete previous mail - I had too thick fingers :-(
I´m running a proftpd 1.3.3e with modules mod_sql:mod_sql_mysql:mod_tls:mod_shaper:mod_ifsession and MySQL backend with virtual users.
On this server there is also a net2ftp installed so I can access the ftp server with http.
There is a folder structure where an administrative user can log in; in the home directory of this user are subfolders that are the home folders of other, restricted users. In the home folders of these restricted users is a folder structure given by the administrative user that should not be changed by the restricted user; however, the restricted user can go into these directories and create subfolders and up-/download files. All this is configured with ftpaccess files.
Now the strange thing is: if I access a restricted users account with FileZilla, everything is working fine as it should (both restrictions and permissions). If I use the net2ftp (that only connects by ftp as the filezilla does), the restricted user can create subfolders, but can not create subfolders in new created subfolders, nor upload files into new created subfolders. If I remove the .ftpaccess in the home directory of the administrative user, he can. So this is a ftpaccess related issue, but how can it be that for FileZilla everything is working, for net2ftp not?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/srv/ftp/:
<Limit WRITE>
AllowUser Admin
DenyAll
</Limit>
<Limit DIRS READ>
AllowAll
</Limit>
-----------------
/srv/ftp/ftpsite/subsite/admin/:
<Limit WRITE>
AllowUser Admin
AllowUser Admin2
AllowUser Admin3
DenyAll
</Limit>
<Limit DIRS READ>
AllowAll
</Limit>
---------------
/srv/ftp/ftpsite/subsite/admin/subfolder_L1/subfolder_L2/subfolder_L3/:
<Limit WRITE DIRS READ>
AllowAll
</Limit>
**********************
Admin user has his homedir in /srv/ftp/ftpsite/subsite/admin
restricted user has his homedir in /srv/ftp/ftpsite/subsite/admin/subfolder_L1 and should only be able to write and delete below ../subfolder_L3.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
my proftpd.conf:
==========
ServerName "Myserver"
ServerAdmin ***@mydomain
ServerType standalone
DefaultServer on
Port 21
UseIPv6 off
Umask 022
MaxInstances 30
User proftpd
Group proftpd
DefaultRoot ~
AllowOverwrite on
<Limit SITE_CHMOD>
DenyAll
</Limit>
PidFile /var/run/proftpd.pid
MaxConnectionRate 4
SocketBindTight off
RootRevoke on
MultilineRFC2228 on
PassivePorts 2000 8000
<IfModule mod_delay.c>
DelayEngine off
DelayTable /var/run/proftpd/proftpd.delay
</IfModule>
<IfModule mod_tls.c>
TLSProtocol SSLv23
</IfModule>
SystemLog /var/log/proftpd/proftpd.log
TransferLog none
LogFormat awstats "%t %s %m %u %h[%a] %f Bytes: %b"
ExtendedLog /var/log/proftpd/xferlog read,write awstats
UseReverseDNS on
<Global>
ServerIdent on "FTP Server ready"
DeferWelcome on
IdentLookups off
RequireValidShell off
UseFtpUsers off
TimeoutLogin 60
TimeoutIdle 300
TimeoutNoTransfer 180
TimeoutStalled 600
MaxLoginAttempts 3
MaxClients 20 "Sorry, the maximum number of users (%m) is connected."
MaxClientsPerUser 15 "Sorry, the maximum number of logins for this user (%m) is reached."
MaxClientsPerHost 5 "Sorry, you are only allowed to have 5 parallel connections!"
MaxHostsPerUser 15 "Sorry, the maximum number of accessing hosts (%m) for this user is reached."
<IfModule !mod_sql.c>
AuthOrder mod_auth_unix.c
<Limit LOGIN>
DenyGroup !****
</Limit>
</IfModule>
<IfModule mod_sql.c>
AuthOrder mod_sql.c
SQLConnectInfo ******* ********* ********
SQLUserInfo users userid passwd uid gid homedir shell
SQLAuthTypes Backend
SQLAuthenticate users
SQLMinUserUID 30
SQLMinUserGID 8
SQLNegativeCache on
SQLLOGFILE /var/log/proftpd/proftpd.sql.log
</IfModule>
<IfModule mod_tls.c>
TLSEngine on
TLSRequired on
TLSRSACertificateFile /path/to/host.crt
TLSRSACertificateKeyFile /path/to/host.key
TLSOptions NoCertRequest NoSessionReuseRequired
TLSVerifyClient off
TLSTimeoutHandshake 300
TLSRenegotiate none
TLSLog /var/log/proftpd/proftpd-tls.log
</IfModule>
DenyFilter \*.*/
ListOptions +R strict
UseGlobbing off
AllowOverwrite on
AllowRetrieveRestart on
DeleteAbortedStores on
WtmpLog off
<Directory /srv/ftp>
AllowOverride on
HideFiles "(.ftpaccess|.htaccess)$"
</Directory>
<Limit SITE_CHMOD>
DenyAll
</Limit>
</Global>
================================================================
Here are logfiles of exactly the same things: create a directory at the lowest level and upload a file into this new directory.
With FileZilla:
---------------
[17/Aug/2011:11:47:51 +0200] 257 MKD USER1 client.mydomain.org[66.55.44.33] /srv/ftp/ftpsite/subsite/admin/subfolder_L1/subfolder_L2/subfolder_L3/test Bytes: -
[17/Aug/2011:11:48:05 +0200] 226 STOR USER1 client.mydomain.org[66.55.44.33] /srv/ftp/ftpsite/subsite/admin/subfolder_L1/subfolder_L2/subfolder_L3/test/LinuxVollwaschmittelPackung.jpg Bytes: 216247
With net2ftp:
-------------
[17/Aug/2011:11:48:43 +0200] 257 MKD USER1 ftpserver.mydomain.org[127.0.0.2] /srv/ftp/ftpsite/subsite/admin/subfolder_L1/subfolder_L2/subfolder_L3/test Bytes: -
[17/Aug/2011:11:49:10 +0200] 550 STOR USER1 ftpserver.mydomain.org[127.0.0.2] - Bytes: -
The net2ftp gives an error message:
[Wed Aug 17 11:49:10 2011] [error] [client 66.55.44.33] PHP Warning: ftp_put(): /subfolder_L2/subfolder_L3/test/LinuxVollwaschmittelPackung.jpg: Operation not permitted in /srv/www/vhosts/webftp/html/main/includes/filesystem.inc.php on line 1283
I think this is just because ProFTPd denies the FTP PUT. No further hint in the logs...
So strange...
Is there a difference in .ftpaccess / Directory permission handling of ProFTPd if the access is from localhost or from external??
Any help appreciated because I have to have it running on Friday :-(
Best,
Andreas
--
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de