vsftpd - success is so close! need a hand!

Where Penguins and Daemons chill together in the warmth of the Sun.

Moderators: SecretSquirrel, notfred

vsftpd - success is so close! need a hand!

Postposted on Wed Mar 02, 2011 11:59 am

OK, I've been working on setting up vsftpd for 2.5 days. I've read the bloody manual, taken meticulous notes, outlined a game plan, and I'm almost there! All I need to do is solve this issue:

500 OOPS: cannot change directory:/srv/ftp/job06 :lol: Crap!

My guess is that it is either a simple directory owner, group, or mode problem, or else I'm missing something in vsftpd.conf

So, starting from the beginning:
I'm a business. For each of my contracts I need an FTP share for a team of consultants.
Each member of the team gets their own directory inside a shared chroot jail.

I'm using --passwd_chroot_enable in vsftpd.conf so that I can specify the chroot jail location on a per-user basis by editing the home directory path for each user in the passwd file - has anyone here used this?

Now... I can verify that I can connect to FTP with my own personal account (different from my account for the project team below), so I know that vsftpd is up and running and taking connections. I have excepted my personal account from chroot_local_user by listing myself in chroot_list_enable and that is all working fine. I have also created another "normal" user called "dummy" and dummy can connect and is chrooted to his own directory, so I've got the chroot parameters set up correctly, at least for normal users. So here's the rest of the setup:

FTP root: /srv/ftp
Shared chroot jail: /srv/ftp/job06013
Member directories in that jail: arch, mep (that's all for now, will add more when I get this working)
My user account happens to be "arch"
I've created a group for this project team called "ftp06013" and I've added the users to that group and assigned the directories for the ftp share to that group (output of ls -l shown below for each directory).

So, for "arch" the passwd file says:
arch:x:1003:1003:,,,:/srv/ftp/job06013/./arch:/bin/bash
where the /./ specifies that the chroot jail is job06013/

Directory owner, group, permissions (permissions for all the below are 650):
for /srv/ftp/job06013:
drw-r-x--- 4 arch ftp06013 4096 2011-03-02 10:48 job06013
for the two directories inside job06013:
drw-r-x--- 2 arch ftp06013 4096 2011-03-01 12:50 arch
drw-r-x--- 2 mep ftp06013 4096 2011-03-01 12:24 mep

Here's vsftpd.conf:
Code: Select all
listen=YES
#listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
#local_umask=022
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
#chown_uploads=YES
#chown_username=whoever
#xferlog_file=/var/log/vsftpd.log
#xferlog_std_format=YES
#idle_session_timeout=600
#data_connection_timeout=120
#nopriv_user=ftpsecure
#async_abor_enable=YES
#ascii_upload_enable=YES
#ascii_download_enable=YES
#ftpd_banner=Welcome to blah FTP service.
#deny_email_enable=YES
#banned_email_file=/etc/vsftpd.banned_emails
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
#ls_recurse_enable=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem

# The above are all "from the factory" directives
# although some have been changed from their default values.
# and some have been un-commented.
# The below are added directives.

passwd_chroot_enable=YES


Here's the passwd file:
Code: Select all
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
mysql:x:102:105:MySQL Server,,,:/var/lib/mysql:/bin/false
postfix:x:103:109::/var/spool/postfix:/bin/false
dovecot:x:104:111:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
landscape:x:106:115::/var/lib/landscape:/bin/false
jt:x:1000:1000:jt,,,:/home/jt:/bin/bash
ftp:x:107:118:ftp daemon,,,:/srv/ftp:/bin/false
dummy:x:1001:1001:,,,:/home/dummy:/bin/bash
mep:x:1002:1002:,,,:/srv/ftp/job06013/./mep:/bin/bash
arch:x:1003:1003:,,,:/srv/ftp/job06013/./arch:/bin/bash


I think that's everything. Hopefully I edited out all the sensitive stuff without mucking anything up. Any advice is much appreciated.
flip-mode
Gerbil Khan
Silver subscriber
 
 
Posts: 9084
Joined: Thu May 08, 2003 12:42 pm
Location: Cincinnati, OH

Re: vsftpd - success is so close! need a hand!

Postposted on Wed Mar 02, 2011 1:30 pm

Why 650 on the directory? I think you should be 750, x permission on directories means that you can traverse the directory tree. Without that I think you might get in to problems.
notfred
Grand Gerbil Poohbah
 
Posts: 3711
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada

Re: vsftpd - success is so close! need a hand!

Postposted on Wed Mar 02, 2011 2:00 pm

notfred wrote:Why 650 on the directory? I think you should be 750, x permission on directories means that you can traverse the directory tree. Without that I think you might get in to problems.

Oh... my... gosh that was it! YOU ARE THE BOMB notfred - rescued me twice now in the last week.

The reason I had 650 is obviously because I don't have a clear grasp on permissions yet. I'm making progress but still I'm a noob.
flip-mode
Gerbil Khan
Silver subscriber
 
 
Posts: 9084
Joined: Thu May 08, 2003 12:42 pm
Location: Cincinnati, OH

Re: vsftpd - success is so close! need a hand!

Postposted on Wed Mar 02, 2011 4:10 pm

Yup, the 'x' permission flag is overloaded, so to speak. For regular files it grants execute permission; for directories, it grants traversal permission (but not permission to list the contents of the directory).

It can be a somewhat confusing concept if you're not accustomed to it. When applied to a directory, the 'x' bit basically says "you can pass through if you already know where you're going, but you're not allowed to look around while you're here".
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37487
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: vsftpd - success is so close! need a hand!

Postposted on Wed Mar 02, 2011 4:18 pm

I have to say it seems weird, but it also makes some sense. Then again, my brain is shutting down after the last couple of days of figuring out how to get this far. I need a long weekend. This weekend is Bockfest in Cincinnati, so that aligns nicely :D
flip-mode
Gerbil Khan
Silver subscriber
 
 
Posts: 9084
Joined: Thu May 08, 2003 12:42 pm
Location: Cincinnati, OH


Return to Linux, Unix, and Assorted Madness

Who is online

Users browsing this forum: No registered users and 2 guests