| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 32302 | 2003-04-15 03:38:00 | LINUX FTP server program recomendations please! | Clueless (181) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 135893 | 2003-04-15 03:38:00 | I'm using pure-ftpd on Sam, my wonderful Linux box. The problem is that anyone logging in can not just see their /home directory, but also most of the system. :( Could people who have done this recomend a good FTP server program that is a little more to the point in what access it gives? Also this line of pure-ftpd.conf: (excuse my innocense) What exactly does "chroot" mean? # Cage in every user in his home directory (default=yes, uncommented) ChrootEveryone yes .Clueless |
Clueless (181) | ||
| 135894 | 2003-04-15 03:46:00 | chroot makes the root of the accessible file system to be the specified place, rather than "/" . The idea is that people can access any point below the effective root . , but can't go any higher . Http and anonymous ftp servers use this as a protection . If you are using this default, and people can still get at other places, the ftp server must be running as root . There should be a configuration option to make it run as "nobody", so it doesn't have the full powers of root . (That ought to be the default, too . :D) |
Graham L (2) | ||
| 135895 | 2003-04-15 04:41:00 | Well here's the whole . conf file . There doesn't seem to be an option that stops people from being able to fish around beyond there own /home Of course i may have overlooked something . It wouldn't be the first time . ################################################## ########## # # # Configuration file for pure-ftpd wrappers # # # ################################################## ########## # If you want to run Pure-FTPd with this configuration # instead of command-line options, please run the # following command : # # /usr/sbin/pure-config . pl /usr/etc/pure-ftpd . conf # Cage in every user in his home directory (default=yes, uncommented) ChrootEveryone yes # If the previous option is set to "no", members of the following group # won't be caged . Others will be . If you don't want chroot()ing anyone, # just comment out ChrootEveryone and TrustedGID . # TrustedGID 100 # Turn on compatibility hacks for broken clients BrokenClientsCompatibility no # Maximum number of simultaneous users MaxClientsNumber 50 # Fork in background Daemonize yes # Maximum number of sim clients with the same IP address MaxClientsPerIP 8 # If you want to log all client commands, set this to "yes" . # This directive can be duplicated to also log server responses . VerboseLog no # List dot-files even when the client doesn't send "-a" . DisplayDotFiles yes # Don't allow authenticated users - have a public anonymous FTP only . AnonymousOnly no # Disallow anonymous connections . Only allow authenticated users . NoAnonymous no # Syslog facility (auth, authpriv, daemon, ftp, security, user, local*) # The default facility is "ftp", "none" disables logging . SyslogFacility ftp # Display fortune cookies # FortunesFile /usr/share/fortune/zippy # Don't resolve host names in log files . Logs are less verbose, but # it uses less bandwidth . Set this to "yes" on very busy servers or # if you don't have a working DNS . DontResolve yes # Maximum idle time in minutes (default = 15 minutes) MaxIdleTime 15 # LDAP configuration file (see README . LDAP) # LDAPConfigFile /etc/pureftp-ldap . conf # PureDB user database (see README . Virtual-Users) # PureDB /etc/pureftpd . pdb # Path to pure-authd socket (see README . Authentication-Modules) # ExtAuth /var/run/ftpd . sock # If you want to enable PAM authentication, uncomment the following line PAMAuthentication yes # If you want simple Unix (/etc/passwd) authentication, uncomment this # UnixAuthentication yes # Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and # UnixAuthentication can be used only once, but they can be combined # together . For instance, if you use MySQLConfigFile, then UnixAuthentication, # the SQL server will be asked . If the SQL authentication fails because the # user wasn't found, another try # will be done with /etc/passwd and # /etc/shadow . If the SQL authentication fails because the password was wrong, # the authentication chain stops here . Authentication methods are chained in # the order they are given . # 'ls' recursion limits . The first argument is the maximum number of # files to be displayed . The second one is the max subdirectories depth LimitRecursion 2000 8 # Are anonymous users allowed to create new directories ? AnonymousCanCreateDirs no # If the system is more loaded than the following value, # anonymous users aren't allowed to download . MaxLoad 4 # Port range for passive connections replies . - for firewalling . # PassivePortRange 30000 50000 # Force an IP address in PASV/EPSV/SPSV replies . - for NAT . # ForcePassiveIP 192 . 168 . 0 . 1 # Upload/download ratio for anonymous users . # AnonymousRatio 1 10 # Upload/download ratio for all users . # This directive superscedes the previous one . # UserRatio 1 10 # Disallow downloading of files owned by "ftp", ie . # files that were uploaded but not validated by a local admin . AntiWarez yes # IP address/port to listen to (default=all IP and port 21) . # Bind 127 . 0 . 0 . 1,21 # Maximum bandwidth for anonymous users in Kb/s # AnonymousBandwidth 8 # Maximum bandwidth for *all* users (including anonymous) in Kb/s # Use AnonymousBandwidth *or* UserBandwidth, both makes no sense . # UserBandwidth 8 # File creation mask . <umask for files>:<umask for dirs> . # 177:077 if you feel paranoid . Umask 133:022 # Minimum UID for an authenticated user to log in . MinUID 100 # Allow FXP transfers for authenticated users only . AllowUserFXP yes # Allow anonymous FXP for anonymous and non-anonymous users . AllowAnonymousFXP no # Users can't delete/write files beginning with a dot (' . ') # even if they own them . If TrustedGID is enabled, this group # will have access to dot-files, though . ProhibitDotFilesWrite yes # Prohibit *reading* of files beginning with a dot ( . history, . ssh . . . ) ProhibitDotFilesRead no # Never overwrite files . When a file whoose name already exist is uploaded, # it get automatically renamed to file . 1, file . 2, file . 3, . . . AutoRename yes # Disallow anonymous users to upload new files (no = upload is allowed) AnonymousCantUpload yes # Only connections to this specific IP address are allowed to be # non-anonymous . You can use this directive to open several public IPs for # anonymous FTP, and keep a private firewalled IP for remote administration . # You can also only allow a non-routable local IP (like 10 . x . x . x) to # authenticate, and keep a public anon-only FTP server on another IP . #TrustedIP 10 . 1 . 1 . 1 # If you want to add the PID to every logged line, uncomment the following # line . #LogPID yes # Create an additional log file with transfers logged in a Apache-like format : # fw . c9x . org - jedi [13/Dec/1975:19:36:39] "GET /ftp/linux . tar . bz2" 200 21809338 # This log file can then be processed by www traffic analyzers . # AltLog clf:/var/log/pureftpd . log # Create an additional log file with transfers logged in a format optimized # for statistic reports, as done with ftpStats # ( . shagged . org/ftpstats" target="_blank">www . shagged . org) . # AltLog stats:/var/log/pureftpd . log # Create an additional log file with transfers logged in the standard W3C # format (compatible with most commercial log analyzers) # AltLog w3c:/var/log/pureftpd . log # Disallow the CHMOD command . Users can't change perms of their files . #NoChmod yes # Allow users to resume and upload files, but *NOT* to delete them . #KeepAllFiles yes # Automatically create home directories if they are missing #CreateHomeDir yes # Enable virtual quotas . The first number is the max number of files . # The second number is the max size of megabytes . # So 1000:10 limits every user to 1000 files and 10 Mb . #Quota 1000:10 # If your pure-ftpd has been compiled with standalone support, you can change # the location of the pid file . The default is /var/run/pure-ftpd . pid PIDFile /var/run/pure-ftpd . pid # If your pure-ftpd has been compiled with pure-uploadscript support, # this will make pure-ftpd write info about new uploads to # /var/run/pure-ftpd . upload . pipe so pure-uploadscript can read it and # spawn a script to handle the upload . #CallUploadScript yes # This option is usefull with servers where anonymous upload is # allowed . As /var/ftp is in /var, it save some space and protect # the log files . When the partition is more that X percent full, # new uploads are disallowed . MaxDiskUsage 90 # Set to 'yes' if you don't want your users to rename files . #NoRename yes This is why i am thinking that "pure-ftp" may not be the best ftp server for my system . . Clueless |
Clueless (181) | ||
| 135896 | 2003-04-15 04:45:00 | An another far less important question... What is a "fortunes file"????? .Clueless |
Clueless (181) | ||
| 135897 | 2003-04-15 04:56:00 | You did run the command to make it use that config file? :D chroot should lock the ordinary users to /home/<user> and below. And if there are no TrustedGIDs (that is, users with group ID less than 100), noone should be able to. :D The secure replacement for telnet (I forget the name .. it's a TLA) also does ftp, I think. |
Graham L (2) | ||
| 135898 | 2003-04-15 05:06:00 | Yes i did run the command . . . . . i'll run it again to be sure . I suppose this is the kind of command that has to be run each time i start the server . . . . bugger . sam:/ # /usr/sbin/pure-config . pl /usr/etc/pure-ftpd . conf Can't open /usr/etc/pure-ftpd . conf: No such file or directory sam:/ # /usr/sbin/pure-config . pl etc/pure-ftpd . conf Running: /usr/sbin/pure-ftpd -A -c 50 -B -C 8 -D -f ftp -H -I 15 -l pam -L 2000:8 -m 4 -s -U 133:022 -u 100 -w -x -r -i -g /var/run/pure-ftpd . pid -k 90 sam:/ # and so much for standardisation . . the . conf file doesn't even live where its own "command" thinks it does . Hmmpfff . About to check if that has worked . . Cluleless |
Clueless (181) | ||
| 135899 | 2003-04-15 05:09:00 | Well that works... Now is there a way to make sure that after restart next, the FTP server will behave itself? .Clueless |
Clueless (181) | ||
| 135900 | 2003-04-15 09:46:00 | Try running "fortune" from a terminal. The fortune file is where it stores them. | bmason (508) | ||
| 135901 | 2003-04-16 01:37:00 | Try "fortune -o". :D Otherwise, find out what is starting up the FTP server ... and make sure it is invoked with that command. I suppose it's running "standalone" (that is, it is always running, not started when called). |
Graham L (2) | ||
| 135902 | 2003-04-16 03:54:00 | There is no such directory as "/usr/share/fortune/zippy" and "fortune" and "fortune -o" give "command not found". It's probably not important, i was just wondering if anyone new what they were. BTW.. The ftp server appears to be running nicely thankyou. .Clueless |
Clueless (181) | ||
| 1 2 | |||||