Web-FTP Directory Protection

Discussion in 'General' started by jmroth, Mar 21, 2007.

  1. jmroth

    jmroth ISPConfig Developer ISPConfig Developer

    I have tried protecting a directory (here images_layout2) using Web-FTP.

    Web-FTP says: FTP: Failed to write /web/images_layout2/.htpasswd

    However .htpasswd exists afterwards, but is empty:

    Code:
    -rw-r--r--  1 webXX_admin webXX    0 Mar 21 18:18 .htpasswd
    
    Any ideas?

    PS. Is the problem with using Web-FTP on large accounts solved already somehow?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Please check your proftpd configuration if upload of hidden files (beginning with a dot) is allowed.

    No, because this will need a rewrite of webFTP in most parts.
     
  3. jmroth

    jmroth ISPConfig Developer ISPConfig Developer

    I am not very sure if that is the problem about what's going on here...
    I guess it's a proftp issue. (v1.2.10 with Debian Sarge)
    I am also sometimes having trouble using mod_tls which produces errors on binary mode data connections in ssl mode *only*. Well this is off-topic, but anyway when I try to create this directory protection, proftp debug mode says the following.
    I have now completely disabled SSL (and I am also convinced ISPConfig did not use FTP over SSL to connect) but still there are errors.

    Code:
    localhost.localdomain (127.0.0.1[127.0.0.1]) - USER webxx_admin: Login successful.
    localhost.localdomain (127.0.0.1[127.0.0.1]) - opening TransferLog '/var/log/xferlog'
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "getpwnam" to module mod_radius
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "getpwnam" to module mod_auth_file
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "getpwnam" to module mod_auth_unix
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "setpwent" to module mod_radius
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "setpwent" to module mod_auth_file
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "setpwent" to module mod_auth_unix
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "setgrent" to module mod_radius
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "setgrent" to module mod_auth_file
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "setgrent" to module mod_auth_unix
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "getpwent" to module mod_radius
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "getpwent" to module mod_auth_file
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "getpwent" to module mod_auth_unix
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "getgrent" to module mod_radius
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "getgrent" to module mod_auth_file
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "getgrent" to module mod_auth_unix
    localhost.localdomain (127.0.0.1[127.0.0.1]) - Preparing to chroot() the environment, path = '/local/home/www/webxx'
    localhost.localdomain (127.0.0.1[127.0.0.1]) - Environment successfully chroot()ed.
    localhost.localdomain (127.0.0.1[127.0.0.1]) - in dir_check_full(): path = '/', fullpath = '/local/home/www/webxx/'.
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_cap
    localhost.localdomain (127.0.0.1[127.0.0.1]) - mod_cap/1.0: capabilities '= cap_net_bind_service+ep'
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_ifsession
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_readme
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_delay
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_radius
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_tls
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_ratio
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_quotatab
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_log
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_ls
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_auth
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching LOG_CMD command 'PASS (hidden)' to mod_log
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching LOG_CMD command 'PASS (hidden)' to mod_ratio
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'TYPE I' to mod_rewrite
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'TYPE I' to mod_tls
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'TYPE I' to mod_core
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'TYPE I' to mod_core
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching CMD command 'TYPE I' to mod_xfer
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching LOG_CMD command 'TYPE I' to mod_log
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'PORT 127,0,0,1,178,103' to mod_rewrite
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'PORT 127,0,0,1,178,103' to mod_tls
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'PORT 127,0,0,1,178,103' to mod_core
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'PORT 127,0,0,1,178,103' to mod_core
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching CMD command 'PORT 127,0,0,1,178,103' to mod_core
    localhost.localdomain (127.0.0.1[127.0.0.1]) - in dir_check_full(): path = '/', fullpath = '/local/home/www/webxx/'.
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching LOG_CMD command 'PORT 127,0,0,1,178,103' to mod_log
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'STOR /web/images_layout2/.htpasswd' to mod_rewrite
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'STOR /web/images_layout2/.htpasswd' to mod_tls
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'STOR /web/images_layout2/.htpasswd' to mod_core
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'STOR /web/images_layout2/.htpasswd' to mod_core
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'STOR /web/images_layout2/.htpasswd' to mod_ratio
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'STOR /web/images_layout2/.htpasswd' to mod_quotatab
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'STOR /web/images_layout2/.htpasswd' to mod_xfer
    localhost.localdomain (127.0.0.1[127.0.0.1]) - in dir_check_full(): path = '/web/images_layout2/.htpasswd', fullpath = '/local/home/www/webxx/web/images_layout2/.htpasswd'.
    localhost.localdomain (127.0.0.1[127.0.0.1]) - in dir_check_full(): setting umask to 0022 (was 0022)
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching CMD command 'STOR /web/images_layout2/.htpasswd' to mod_xfer
    localhost.localdomain (127.0.0.1[127.0.0.1]) - active data connection opened - local  : 127.0.0.1:20
    localhost.localdomain (127.0.0.1[127.0.0.1]) - active data connection opened - remote : 127.0.0.1:45671
    ==> localhost.localdomain (127.0.0.1[127.0.0.1]) - Transfer aborted after 17 bytes in 0.00 seconds
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD_ERR command 'STOR /web/images_layout2/.htpasswd' to mod_radius
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD_ERR command 'STOR /web/images_layout2/.htpasswd' to mod_quotatab
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching LOG_CMD_ERR command 'STOR /web/images_layout2/.htpasswd' to mod_log
    localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching LOG_CMD_ERR command 'STOR /web/images_layout2/.htpasswd' to mod_xfer
    
    I guess upgrading to etch (really soon now) with an updated proftp might just fix it ;)

    Also, why do you actually use FTP in the background? It's cool to call it "WebFTP" but since ISPConfig is not designed for multiple physical machines, just accessing files locally would be enough, wouldn't it?

    Regards,
    Marc
     
  4. falko

    falko Super Moderator ISPConfig Developer

    What's in your /etc/proftpd.conf?

    You need to access the files with the correct user due to ownerships and permissions, that's why we use FTP. The ISPConfig web server runs under the user admispconfig, so if we tried to access files locally, this would happen as admispconfig and will lead to permission problems.
     
  5. jmroth

    jmroth ISPConfig Developer ISPConfig Developer

    Code:
    ServerName                      "blah"
    ServerType                      standalone
    DeferWelcome                    off
    
    MultilineRFC2228                on
    DefaultServer                   on
    ShowSymlinks                    on
    
    TimeoutNoTransfer               600
    TimeoutStalled                  600
    TimeoutIdle                     1200
    
    DisplayLogin                    welcome.msg
    DisplayFirstChdir               .message
    ListOptions                     "-l"
    
    DenyFilter                      \*.*/
    
    Port                            21
    
    MaxInstances                    30
    
    # Set the user and group that the server normally runs at.
    User                            nobody
    Group                           nogroup
    
    # Umask 022 is a good standard umask to prevent new files and dirs
    # (second parm) from being group and world writable.
    Umask                           022  022
    # Normally, we want files to be overwriteable.
    AllowOverwrite                  on
    
    DelayEngine                     off
    
    DefaultRoot ~
    
    IdentLookups            off
    UseReverseDNS           off
    TransferLog             /var/log/xferlog
    
    <IfModule mod_tls.c>
          TLSEngine on
          TLSLog /var/log/proftpd/proftpd_tls.log
          TLSRequired off
          TLSVerifyClient off
          TLSRSACertificateFile /etc/ftpcert/host.cert
          TLSRSACertificateKeyFile /etc/ftpcert/host.key
          TLSProtocol TLSv1 # only needed in main config
    </IfModule>
    
    Include /etc/proftpd_ispconfig.conf # this file now follows:
    
    DefaultAddress 127.0.0.1
    <VirtualHost 88.198.xxx>
            DefaultRoot             ~
            AllowOverwrite          on
            Umask                   002
    </VirtualHost>
    <VirtualHost 88.198.xxx>
            DefaultRoot             ~
            AllowOverwrite          on
            Umask                   002
            <Anonymous /local/home/www/webx/ftp>
              User                          webx_anonftp
              Group                         webx_anonftp
              UserAlias                     anonymous webx_anonftp
              UserAlias                     guest webx_anonftp
              MaxClients                    10
              <Directory *>
                <Limit WRITE>
                  DenyAll
                </Limit>
              </Directory>
              <Directory /local/home/www/webx/ftp/incoming>
                Umask                       002
                <Limit STOR>
                  AllowAll
                </Limit>
                <Limit READ>
                  DenyAll
                </Limit>
              </Directory>
            </Anonymous>
    </VirtualHost>
    <VirtualHost 88.198.xxx>
            DefaultRoot             ~
            AllowOverwrite          on
            Umask                   002
    </VirtualHost>
    <VirtualHost 88.198.xxx>
            DefaultRoot             ~
            AllowOverwrite          on
            Umask                   002
    </VirtualHost>
    <VirtualHost 88.198.xxx>
            DefaultRoot             ~
            AllowOverwrite          on
            Umask                   002
    </VirtualHost>
    <VirtualHost 88.198.xxx>
            DefaultRoot             ~
            AllowOverwrite          on
            Umask                   002
    </VirtualHost>
    
    I have also started a thread in the proftp forums as this might be a proftp issue...
    http://forums.proftpd.org/smf/index.php?topic=2809.0
     
  6. falko

    falko Super Moderator ISPConfig Developer

    Have you tried to remove
    Code:
    <IfModule mod_tls.c>
          TLSEngine on
          TLSLog /var/log/proftpd/proftpd_tls.log
          TLSRequired off
          TLSVerifyClient off
          TLSRSACertificateFile /etc/ftpcert/host.cert
          TLSRSACertificateKeyFile /etc/ftpcert/host.key
          TLSProtocol TLSv1 # only needed in main config
    </IfModule>
    from the configuration?
     
  7. jmroth

    jmroth ISPConfig Developer ISPConfig Developer

    Yeah I tried that one too already. Without success. :(
     

Share This Page