FTP Wierd Behavior

[Wisdown]

Hi Guys,

I`m not sure if this is an bug, or is normal.
After a fresh install, i make one user for ftp.
The user was able to access his ftp and make directories by filezila on his /.
Then for test i enable for same account an login to ssh (without quota on, i mean -1 on his limit), so his directory get new folders:

bin
cgi-bin
dev

etc...

And now the user cant make directories using ftp or ssh, this is an bug? Normal Behavior? I need set something else?

I`m on Debian 6
ISPConfig 3.0.4.6

[Wisdown]

While the user ssh exists, as root i cant change the / structure too

Was trying install group-office which requires and folder on user /, and as user just get Permission Denied on ssh or ftp client.

Then i logged on server as root and made the dir, but, the dir wasnt avaliable on user /

So i removed the ssh login and like an magic the folder poped

Note: I did the ssh login enabling Jailkit since manual sayed is more secure, this behavior is normal? I mean, for every user which i enable ssh, they gonna loose the permission to write on they / directory?

[till]

Quote:

Note: I did the ssh login enabling Jailkit since manual sayed is more secure, this behavior is normal?

Yes. The folders in the jail are required by jailkit.

Quote:

I mean, for every user which i enable ssh, they gonna loose the permission to write on they / directory?

Yes, otherwise jailkit would not work, the / of a jail has to be owned by root. But you should not put any files in / anyway, better make a new subdirecory in the web / like /private and put your private files there.

[Wisdown]

Quote:

Originally Posted by till

Yes. The folders in the jail are required by jailkit.



Yes, otherwise jailkit would not work, the / of a jail has to be owned by root. But you should not put any files in / anyway, better make a new subdirecory in the web / like /private and put your private files there.

As private you mean set the the sub directories as 770?

I noticed 2 softwares which requires one private directory inside of /

moodle
group-office

My last question is about "rollback", on the situation of my description, ISPConfig should revert the jail right? Since i deleted the ssh access (deleted the login instead disable user) there no reason for keep the files/folders for ssh right?

I`m still on tests of installations, in the end i will post my findings.
Then i will focus on my sasl (from another post) problem, but one thing per time
Thanks in advice.

[till]

Quote:

As private you mean set the the sub directories as 770?

No, I men to create a new directory with the name "private" That directory will be
availabe in 3.0.5 by default.

Quote:

My last question is about "rollback", on the situation of my description, ISPConfig should revert the jail right?

No, the jail shall not be reverted. The reason is that ispconfg can not detect if a application of thsi web still uses a file in one of these folders or if the user or admin has placed a file there.

[Wisdown]

Quote:

No, I men to create a new directory with the name "private" That directory will be
availabe in 3.0.5 by default.

Ah got it, there any special permission to set, or when an directory named "private" Apache make him hide from internet?

By the way there any estimated date for the release of 3.0.5? Worrying if i would wait an little more for see if the new release dont gonna have the bug i got with sasl (http://www.howtoforge.com/forums/showthread.php?t=58390) after try both setups, multiple servers and one dedicated server

[till]

Quote:

Ah got it, there any special permission to set, or when an directory named "private" Apache make him hide from internet?

Example for permissions:

Domain: example.tld
Web user: web1
Client group: client1

The commands to create the directory for this example are:

mkdir /var/www/domain.tld/private
chown web1:client1 /var/www/domain.tld/private
chmod 770 /var/www/domain.tld/private

This ensures that the content in the private directory is only readable by user and group of the website (so the folder is readable by FTP, ssh and the php scripts to include content from there as required by the cms systems you mentioned above).

This folder will be automatically created in the next ispconfig release and you can create it with the above commands in 3.0.4.6 manually.

Quote:

By the way there any estimated date for the release of 3.0.5? Worrying if i would wait an little more for see if the new release dont gonna have the bug i got with sasl (http://www.howtoforge.com/forums/showthread.php?t=58390) after try both setups, multiple servers and one dedicated server

The above thread is about a config problem on your server and not a general bug in ISPConfig. I run all my servers on Debian 6, none of it has a problem with sasl and there are no reported bugs about deban 6 and sasl in the bugtracker while there are ten thousands of servers with this software combination installed, so the problem must be related to the server misconfiguration on that server if you see it from a statistical standpoint. The guide you followed as you tried to fix it is for Ubuntu Linux and not Debian and the Ubuntu problem was already solved some time ago, so does not apply to recent ispconfig versions anyway.

Which perfects etup guide did you follow to install your server and did youfollow the guide to the letter?

As a side note, I would recommend to use Dovecot and not courier for new servers. On deoveot servers, sasl is not even required, it is used only for courier.

[Wisdown]

Quote:

Originally Posted by till

Example for permissions:

Domain: example.tld
Web user: web1
Client group: client1

The commands to create the directory for this example are:

mkdir /var/www/domain.tld/private
chown web1:client1 /var/www/domain.tld/private
chmod 770 /var/www/domain.tld/private

This ensures that the content in the private directory is only readable by user and group of the website (so the folder is readable by FTP, ssh and the php scripts to include content from there as required by the cms systems you mentioned above).

This folder will be automatically created in the next ispconfig release and you can create it with the above commands in 3.0.4.6 manually.

Thank you for the step by step!!!
I see now why my tests was doing the things get messed, i was chown www-data:www-data thinking this is default command, now i see my syntax was wrong

Quote:

The above thread is about a config problem on your server and not a general bug in ISPConfig. I run all my servers on Debian 6, none of it has a problem with sasl and there are no reported bugs about deban 6 and sasl in the bugtracker while there are ten thousands of servers with this software combination installed, so the problem must be related to the server misconfiguration on that server if you see it from a statistical standpoint. The guide you followed as you tried to fix it is for Ubuntu Linux and not Debian and the Ubuntu problem was already solved some time ago, so does not apply to recent ispconfig versions anyway.

No doubt you know how setup things better then me, so for you is almost impossible have any problem on your servers, but, i`m noob learning about linux, and how the things wok on this side.
If you ask me something about MSSQL i can help, since i work with MSSQL, but out of MSSQL world i`m noob.

Quote:

Which perfects etup guide did you follow to install your server and did youfollow the guide to the letter?

As a side note, I would recommend to use Dovecot and not courier for new servers. On deoveot servers, sasl is not even required, it is used only for courier.

I followed this guide:

http://www.howtoforge.com/perfect-se...ot-ispconfig-3

Tried the manual also.
On multiple server i added spamav / jailkit on all other servers too, the only differ.
I tried mix some parts too, example: fresh install with ssh, fresh install without ssh, and dindt worked also.

But on this part:

Quote:

As a side note, I would recommend to use Dovecot and not courier for new servers. On deoveot servers, sasl is not even required, it is used only for courier.

I think you discovered the problem source, i checked on ISPConfig pannel and is using Dovecot, so my guess is somehow the setup let courier enabled.
Then the service is runing looking for something and making the error about sasl

There an guide for i change this?
Thanks

[till]

The setup you used uses dovecot which is fine and ispconfig recognized it correctly as well, so sasl is not required and should not be in use. Maybe the base linux system that you used had courier or another sasl based setup installed. Please post the content of the postfix main.cf file and the output of:

netstat -tap | grep pop

[Wisdown]

this is the output:

tcp 0 0 *op3 *:* LISTEN 2454/pop3-login
tcp 0 0 *op3s *:* LISTEN 2454/pop3-login

Should have the program runing?

and the file:

Quote:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = server1.mydomain.com
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = server1.mydomain.com, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
smtpd_tls_security_level = may
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = dovecot
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
message_size_limit = 0

The log from ISPConfig:

Quote:

Aug 30 15:07:27 server1 dovecot: dovecot: Killed with signal 15 (by pid=5377 uid=0 code=kill)
Aug 30 17:15:38 server1 postfix/smtpd[2913]: warning: SASL: Connect to private/auth failed: No such file or directory
Aug 30 17:15:38 server1 postfix/smtpd[2913]: fatal: no SASL authentication mechanisms
Aug 30 17:15:39 server1 postfix/master[2675]: warning: process /usr/lib/postfix/smtpd pid 2913 exit status 1
Aug 30 17:15:39 server1 postfix/master[2675]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
Aug 30 17:15:39 server1 amavis[1675]: (01675-01) (!)FWD via SMTP: -> , 451 4.5.0 From MTA([127.0.0.1]:10025) during fwd-connect (Negative greeting: at (eval 101) line 596, line 21.): id=01675-01