I am having a hard time restricting users to a single directory using
proftp. I have published my configuration file for your reference to
http://www.toolpack.com/proftpd.conf - any help would be appreciated.

---

Clarification of Question by davert2-ga on 14 Feb 2003 06:40 PST

I should mention that I have already tried setting the root and
running proftpd as root. I am probably missing a single line of code
or something.

---

Clarification of Question by davert2-ga on 14 Feb 2003 13:32 PST

I should also mention I am trying to have this work via sftp. I've
already set it up so that users have rssh shells - not real ones, just
sftp-and-scp-capable shells.

Hi,
I have peeped at your config file, and i think i know whats wrong
I assume you are trying to restrict ftp users to a specific directory.
You have found the right directive - "DefaultRoot" , but you are using
it incorrectly.
The best bet is to do the following

1) Remove (or comment out if you prefer) all lines with DefaultRoot in
the config file.
2) work out what users you want restricted to what directory,
3) Add the default root lines in the appropriate places in the config
file.

Ok, so say we have a user 'henry' and we wand His root directory to be
/tmp/ftpstuff, we need to add the following line

DefaultRoot /tmp/ftpstuff henry

now for everyone else we want their ftp root to be their temporary
folder under their user eg. /home/fred/tmp we would add the following
line

DefaultRoot ~/tmp !henry

Ok, to explain what is going on above, the ~ represents the users'
home directory ie for bob its probably /home/bob, for jim its
/home/jim and so on. You specify !henry, because you DONT want this to
be applied to henry (who you want to have as /tmp/ftpstuff) the ! sign
means "not".

So where do you put these lines? well it depends on your other
configuration settings, but I would put them in your global block (ie.
somwhere between <global> and </global>)

The only other thing is anonymous users. The DefaultRoot command is
not for use in the anonymous block, the default root directory should
be supplied as part as part of the block declaration eg

<Anonymous /home/ftp>
...  
</Anonymous>

Hope this helps

I appreciate your taking the time to investigate and to answer. I did
try doing as you said (commented out all current DefaultRoots, added
it under Global as:)
DefaultRoot /home/vhosts/rich rich

for user rich, to default to /home/vhosts/rich . What happens is that
when I use SFTP to log in, I get directed to the correct directory,
but then I can easily back up out of it and have access to the entire
server.

Oh, wait a second...can it be that I can *view* all other files, but
cannot *change* them?

No, your original assumption is correct. Defaultroot sets the "root"
directory to be the one you specified, as such you cannot see above
it, you should not be able to see for example, the 'home' directory,
as it is above the level you set the default root to.

Hmm, have you re-loaded the config file to apply your changes? the way
i do this is :

ps -A | grep proftpd

get the process number (pid) and put it into

kill -HUP <pid from above>

Another possiblitiy is that you may be changing the wrong config file
or something (for example if you unwittingly have more than one
version of proftpd installed). you could test this by changing the
filename of the login message to point to a differnt file (with a
differnt message).

If you still have problems, can you re-post your config file?

Tried killing and restarting, then tried killing and restarting while
pointing to a specific config file with -c. Here is the revised config
file:

ServerName                      "Allpar"
ServerType standalone
DeferWelcome                    off

MultilineRFC2228 on
DefaultServer                   on
ShowSymlinks                    on
AllowOverwrite                  on

TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1800

DisplayLogin                    welcome.msg
DisplayFirstChdir               .message
LsDefaultOptions                "-l"

DenyFilter                      \*.*/

# Uncomment this if you are using NIS or LDAP to retrieve passwords:
#PersistentPasswd               off

Port                            21

# To prevent DoS attacks, set the maximum number of child processes to
30
MaxInstances 12

# Set the user and group that the server normally runs at.
User root

# Normally, we want files to be overwriteable.

<Directory /*>
  Umask                         644  644
  AllowOverwrite                on
</Directory>

<VirtualHost 216.120.237.3>
ServerName "216.120.237.3"
AllowRetrieveRestart on
AllowStoreRestart on
DefaultTransferMode ascii
DeleteAbortedStores on
HiddenStor off
AllowOverwrite on
RootLogin off
DefaultRoot /home/vhosts/rich rich
</VirtualHost>

<Global>
RootLogin off
#DefaultRoot ~
RequireValidShell on
AllowOverwrite on
AllowRetrieveRestart on
AllowStoreRestart on
MaxClients 3
MaxClientsPerHost 3
CDPath /home/vhosts/ag
CDPath /home/vhosts/aqpnnj.com
CDPath /home/allpar
DeleteAbortedStores on
DefaultRoot /home/vhosts/rich rich
</Global>

The config file seems to be okay at first glance, though my experience
with proftp config files is that they are somewhat tricky to debug.
Try to tail -f your xferlog and/or your messages log file, then try
logging in... see if it throws any error messages in there.

Apart from that, I can only think that chroot() might not be working
for some reason. Try compiling this C code (gcc -o binname
codename.c), which should check if chroot() is working properly:

#include <stdio.h>
#include <unistd.h>

#define WANTED_ROOT "/etc"

int main() {

   fprintf(stdout, "Trying to chroot to %s...", WANTED_ROOT);
   if (chroot(WANTED_ROOT) == -1) {
      fprintf(stdout, " ERROR - couldn't chroot!\n");
      return 1;
   }
   fprintf(stdout, " done!\n");
   return 0;

}

You need to be root for chroot() to function - if you get an error,
then external the variable "errno", and compare it with the errors
listed in the chroot() man page... or if you're not too good with the
old C code, I'll do it for you. If it works fine, I'll see if your
config file works on a server of mine, then take it from there.

Cheers,
 Stuart.

Your c code runs nicely but returns no errors. There is nothing in
message except allpar -- MARK -- messages, and nothing new shows up in
the xferlog. So any help you could provide in testing owuld be
appreciated!!!

Try commenting out that VirtualHost block - my test server didn't like
it very much (though I can't tell why). Since DefaultServer is on, all
your network bound IPs will be caught by the daemon anyway, so the
only reason for the VirtualHost block would be to have seperate
configuration directives for one host, which is negated by the fact
that anyone can log on using another IP anyway.

You can put those VirtualHost directives inside the Global block if
this method works... though I would still like to know what ProFTP has
against it (I rediscover how ugly ProFTP config files are every time I
have to edit one). Apart from that, my only other idea was that your
CDPath directives weren't behaving, but they seemed to work okay on my
server even when chroot jailed fine.

Let me know how you get on, I hope we can get this fixed soon.
  Stuart.

You won't believe it but...no go!

Here's the revised config file.

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName                      "Allpar"
ServerType standalone
DeferWelcome                    off

MultilineRFC2228 on
DefaultServer                   on
ShowSymlinks                    on
AllowOverwrite                  on

TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1800

DisplayLogin                    welcome.msg
DisplayFirstChdir               .message
LsDefaultOptions                "-l"

DenyFilter                      \*.*/

# Uncomment this if you are using NIS or LDAP to retrieve passwords:
#PersistentPasswd               off

Port                            21

# To prevent DoS attacks, set the maximum number of child processes to 30
MaxInstances 12

# Set the user and group that the server normally runs at.
User root

# Normally, we want files to be overwriteable.
<Directory /*>
  Umask                         644  644
  AllowOverwrite                on
</Directory>

<Global>
RootLogin off
#DefaultRoot ~
RequireValidShell on
AllowOverwrite on
AllowRetrieveRestart on
AllowStoreRestart on
DefaultTransferMode ascii
HiddenStor off
AllowOverwrite on
MaxClients 3
MaxClientsPerHost 3
CDPath /home/vhosts/ag
CDPath /home/vhosts/aqpnnj.com
CDPath /home/allpar
DeleteAbortedStores on
DefaultRoot /home/vhosts/rich rich
</Global>

Oops! I found the problem when I removed proftp to try to install a
different program - something I had NO success in doing. (And when I
tried to resintall proftp I got the dreaded "No certificate files
found!" error even though I have certificates!).

And sftpp still worked...

It turns out that the SSH program has its OWN sftp server which was
apparently bieng used INSTEAD of proftp.

So that is why I could not do anything.

Now I have to figure out where the config files for sftp-server are!

PS> For the amount of work you put in, I think I should still pay
you...but if you have a quick answer to the two problems I now have
(including proftp not working!) I'd love to hear it.

Sorry I haven't answered sooner, but after I posted that last comment,
I got totally knocked off my feet with work and forgot about your
question!

If you're still having your problems with SFTP, then I can see what I
can do for you, but you'll need to tell me what kind of SSH server it
is you have installed. I guess this isn't OpenSSH, since last time I
checked, it didn't come with an sftp server.

Oh, and by the way, I'm not a Google researcher, so you can't pay me
for this - I just like helping out now and then :). Let me know.

-- Stuart

Well, I certainly owe you my thanks! Here's what's in the config file:

$OpenBSD: ssh_config,v 1.16 2002/07/03 14:21:05 markus Exp $

It's a Debian Linux system...I thought it was OpenSSH because when I
use MacSSH the first line is "OpenSSH_3.4p1, SSH protocols 1.5/2.0,
OpenSSL 0x0090605f" But I realize that might just be MacSSH! It does
later say:

debug1: Remote protocol version 2.0, remote software version
OpenSSH_3.5p1 Debian 1:3.5p1-2
debug1: match: OpenSSH_3.5p1 Debian 1:3.5p1-2 pat OpenSSH*

Which leads me to believe it is OpenSSH. 

The last line of sshd config is: Subsystem       sftp   
/usr/lib/sftp-server
Which is what got me thinking...! Especially since I essentially
destroyed by ftp access - now proftpd won't start, says certificates
not found. That's OK with me I suppose.

Man says: "     sftp-server is a program that speaks the server side
of SFTP protocol to
     stdout and expects client requests from stdin.  sftp-server is
not
     intended to be called directly, but from sshd(8) using the
Subsystem
     option.  See sshd(8) for more information."