| View previous topic :: View next topic |
| Author |
Message |
nuhiNlow
n00b
Joined: 07 Jan 2009
Posts: 46
|
 Posted: Fri Mar 27, 2009 7:20 pm Post subject: vsftpd OOPS cannot change directory |
 |
|
i'm using vsftpd with virtual users and client keeps getting an error that vsftpd can't change into the client's dir
build R ] net-ftp/vsftpd-2.1.0 USE="pam ssl tcpd -caps (-selinux) -xinetd" 0 kB
| Code: | phoenix vsftpd # cat vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Listen on IPv4. xinet users must set NO or comment out
# otherwise it must be set YES
listen=YES
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
nopriv_user=ftp
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
pasv_min_port=59000
pasv_max_port=59900
chroot_local_user=YES
#this is important
ssl_enable=YES
#choose what you like, if you accept anon-connections
# you may want to enable this
# allow_anon_ssl=NO
#choose what you like,
# it's a matter of performance i guess
# force_local_data_ssl=NO
#choose what you like
force_local_logins_ssl=NO
#you should at least enable this if you enable ssl...
ssl_tlsv1=YES
#choose what you like
ssl_sslv2=YES
#choose what you like
ssl_sslv3=YES
#give the correct path to your currently generated *.pem file
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
#the *.pem file contains both the key and cert
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem
local_max_rate=30000
# If enabled, all non-anonymous logins are classed as "guest" logins. A guest
# login is remapped to the user specified in the guest_username setting.
guest_enable=YES
guest_username=virtualftp
pam_service_name=vsftpd
# Virtual users will be logged into /var/ftp/[username]/
user_sub_token=$USER
local_root=/var/ftp/$USER
userlist_enable=YES
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
log_ftp_protocol=YES
|
|
|
| Back to top |
|
 |
TheAbu
Apprentice
Joined: 08 Jun 2008
Posts: 160
Location: Lyon, France
|
| Posted: Mon Mar 30, 2009 6:14 pm Post subject: |
|
|
Your config looks ok (I would only reduce the "width" of the passive ports, unless you really expect a huge amount of connections, I would rather go 59000 to 59010).
Your firewall is set up the right way ? (by that I mean, incoming 21 and outgoing 59000 to 59900)
Here is a copy of my config (also using virtual users) if it can be of help
| Code: | # Port to connect to
listen_port=21
# Standalone mode (no xinetd)
listen=YES
# Banner
banner_file=/etc/vsftpd/banner
# Anonymous not allowed
anonymous_enable=NO
# Local users enabled
local_enable=YES
# Guest
guest_enable=YES
guest_username=virtual
# List of valid users
userlist_file=/etc/vsftpd/users
userlist_enable=YES
userlist_deny=NO
# Jailing the virtual user
chroot_local_user=YES
# Securing the directories
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
hide_ids=YES
# Pam service
pam_service_name=vsftpd
# SSL Options
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
# Passive ports
pasv_max_port=51602
pasv_min_port=51600
# Max sessions
max_clients=5
max_per_ip=2
# Logging
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
log_ftp_protocol=YES
# User config
user_config_dir=/etc/vsftpd/vsftpd_user_conf |
for my firewall I have:
21 allowed in (Actually, for security reasons I don't use 21, but doesn't really matter)
51600 to 51602 allowed in too (pasv range)
_________________
"Please, forgive my bad English"
Gentoo made me love using my computer again. Thank you to the Gentoo devs and more generally to all the people who makes GNU/Linux possible  |
|
| Back to top |
|
|
nuhiNlow
n00b
Joined: 07 Jan 2009
Posts: 46
|
| Posted: Mon Mar 30, 2009 6:16 pm Post subject: |
|
|
firewall is set up ok.
i'm testing on my internal LAN and getting this error.
does not appear to be network related.
thanks |
|
| Back to top |
|
|
TheAbu
Apprentice
Joined: 08 Jun 2008
Posts: 160
Location: Lyon, France
|
| Posted: Mon Mar 30, 2009 6:50 pm Post subject: |
|
|
You probably already checked that but for the sake of completion:
the home folder for your virtual user belongs to root with group virtual (or whatever your virtual user is called?
permissions on this folder is set to 2750 ?
the subfolders (your user's folder) also belong to root with group virtual and permissions are also set to 2750 ?
_________________
"Please, forgive my bad English"
Gentoo made me love using my computer again. Thank you to the Gentoo devs and more generally to all the people who makes GNU/Linux possible |
|
| Back to top |
|
|
nuhiNlow
n00b
Joined: 07 Jan 2009
Posts: 46
|
| Posted: Mon Mar 30, 2009 10:26 pm Post subject: |
|
|
Mar 30 17:23:25 [vsftpd] pam_userdb(vsftpd:auth): user_lookup: could not open database `/etc/vsftpd/passwd': Invalid argument
i keep getting that error
drwxr-s--- 3 virtualftp users 4096 2009-03-27 11:37 ftp
what does the chmod 2750 do? i have not used that one before.
thanks for your replies. difficult getting back into this one as i dropped it in disgust on friday.
may spend more time on it tomorrow but i did a lot of googling and kept coming back to the pam problem mentioned in the first line of this post.
seems i have run across an old bug/problem that never got resolved with pam and berkdb.
would be nice to confirm.
merci! |
|
| Back to top |
|
|
TheAbu
Apprentice
Joined: 08 Jun 2008
Posts: 160
Location: Lyon, France
|
| Posted: Tue Mar 31, 2009 9:44 am Post subject: |
|
|
Here is a cat of the vsftpd file I created in /etc/pam.d/ if it can help
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/login
account required /lib/security/pam_userdb.so db=/etc/vsftpd/login
I guess you did emerge sys-auth/pam_userdb ?
Sorry if some of my questions sounds a bit condescending, but it's a fairly complex setup and a lot of things can go wrong if you forget one step
_________________
"Please, forgive my bad English"
Gentoo made me love using my computer again. Thank you to the Gentoo devs and more generally to all the people who makes GNU/Linux possible |
|
| Back to top |
|
|
nuhiNlow
n00b
Joined: 07 Jan 2009
Posts: 46
|
| Posted: Tue Mar 31, 2009 1:04 pm Post subject: |
|
|
no worries about the questions, that's the only way this will get solved is by examining every part of the setup.
[ebuild R ] sys-auth/pam_userdb-0.99.8.1 USE="nls" 0 kB
phoenix vsftpd # cat /etc/pam.d/vsftpd
auth required pam_userdb.so db=/etc/vsftpd/passwd crypt=hash
account required pam_userdb.so db=/etc/vsftpd/passwd crypt=hash |
|
| Back to top |
|
|
nuhiNlow
n00b
Joined: 07 Jan 2009
Posts: 46
|
| Posted: Tue Mar 31, 2009 1:10 pm Post subject: |
|
|
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/passwd crypt=hash
account required /lib/security/pam_userdb.so db=/etc/vsftpd/passwd crypt=hash
have also tried using /lib64/security...
still get the pam error in logs.
here's emerge --info
phoenix vsftpd # emerge --info
Portage 2.2_rc27 (default/linux/amd64/2008.0, gcc-4.3.3, glibc-2.9_p20081201-r2, 2.6.29-gentoo x86_64)
=================================================================
System uname: Linux-2.6.29-gentoo-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_6400+-with-glibc2.2.5
Timestamp of tree: Fri, 27 Mar 2009 11:30:16 +0000
app-shells/bash: 3.2_p48-r1
dev-java/java-config: 1.3.7-r1, 2.1.7
dev-lang/python: 2.5.4-r2
dev-util/cmake: 2.6.3
sys-apps/baselayout: 2.0.0-r2
sys-apps/openrc: 0.4.2-r1
sys-apps/sandbox: 1.6
sys-devel/autoconf: 2.13, 2.63
sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2
sys-devel/binutils: 2.19.1-r1
sys-devel/gcc-config: 1.4.1
sys-devel/libtool: 2.2.6a
virtual/os-headers: 2.6.28-r1
ACCEPT_KEYWORDS="amd64 ~amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks fixpackages metadata-transfer parallel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--as-needed"
LINGUAS="en_US"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow X a52 aac acl acpi alsa amd64 apm banshee berkdb bzip2 cdinstall cdparanoia cdr cli cracklib crypt cups dbus dga directfb dri dvb dvd dvdr dvdread encode escreen exif fam ffmpeg flac fortran gdbm gif gimp gnome gnome-keyring gnutls gphoto2 gpm gstreamer gtk gtkhtml hal hddtemp iconv ipod isdnlog java java6 javascript jpeg lame libnotify libv4l2 lm_sensors mad midi mmx mp3 mp4 mpeg mudflap multilib musicbrainz mysql nautilus ncurses nls nptl nptlonly nsplugin nvidia offensive ogg opengl openmp pam pcre pdf perl png pppd python quicktime rdesktop readline reflection sensord session smp spell spl sse sse2 ssl startup-notification svg sysfs tcpd tiff truetype unicode usb vnc vorbis wavpack xml xorg xscreensaver xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="auth_basic autoindex authz_host auth_host dir mime dav dav_fs authn_file auth_digest authz_groupfile" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_US" USERLAND="GNU" VIDEO_CARDS="nvidia"
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
