Bug#613003: Major regressions in proftpd-basic: DisplayReadme, DirFakeUser, DirFakeGroup, DirFakeMode, HideUser, HideGroup, HideNoAccess do not work
John Zaitseff
J.Zaitseff at zap.org.au
Sat Feb 12 06:15:03 UTC 2011
Package: proftpd-basic
Version: 1.3.3a-6
Severity: important
I am the unfortunate bearer of bad news. The upgrade of the ProFTPd
package (proftpd-basic) from Lenny to Squeeze causes at least the
following configuration directives to stop working:
DisplayReadme
DirFakeUser
DirFakeGroup
DirFakeMode
HideUser
HideGroup
HideNoAccess
Having the DisplayReadme directive enabled causes the ProFTPd daemon
to violate the FTP protocol in a major way. For example, having the
line "DisplayReadme README" in the configuration file, and having
the file README in the anonymous FTP directory "/", causes an NcFTP
client to return:
Invalid reply: "(null)-Please read the file README"
Invalid reply: "(null) it was last modified on Wed Nov 16 06:27:28 2005 - 1914 days ago"
It also causes the APT client (such as used by aptitude and apt-get)
to return "Protocol corruption" errors. In other words, having the
DisplayReadme directive stops most FTP client programs from working!
The DirFakeUser, DirFakeGroup and DirFakeMode directives simply do
not work, although this does not, in practice, cause major problems.
According to the documentation, these directives should supply fake
user and group information for FTP commands such as DIR. However,
this is NOT done: the actual UID, GID and modes are returned. For
example, I have:
DirFakeUser on
DirFakeGroup on
DirFakeMode 0444
which should return user "ftp", group "ftp" and mode "-r--r--r--".
However, performing a DIR command on the anonymous FTP directory "/"
returns:
drwxrwxrwx 501 104 Sep 16 2002 incoming
drwxr-xr-x 501 501 Nov 10 09:00 pub
-rw-r--r-- 501 501 986 Nov 16 2005 README
drwxr-xr-x 501 501 Nov 1 2009 users
-rw-r--r-- 501 4 390 Jan 4 2005 welcome.msg
In a similar way, the HideUser, HideGroup and HideNoAccess
directives do not work: if "HideGroup adm" is specified, for
example, files with group owner "adm" (GID 4) should be hidden from
view. As can be seen in the above directory listing, this does NOT
happen.
All of these problems (apart from the DisplayReadme directive) can
be verified on the server ftp.zap.org.au using the anonymous login
"ftp" with your e-mail address as the password. I am also attaching
the configuration files "proftpd.conf" and "modules.conf". I have
disabled the DisplayReadme configuration directive for the time
being.
I have spent a bit of time looking at the source code diff between
the version of ProFTPd in Lenny (proftpd-dfsg-1.3.1) and Squeeze
(proftpd-dfsg-1.3.3a), but have not found anything relevant at this
time.
I hope this problem can be resolved quickly, as I believe it is a
major regression in this package. I am more than willing to help
out with source code debugging as appropriate.
Finally, thank you for your hard work in packaging the ProFTPd
server, even if it does have a few problems at the present time!
Yours truly,
John Zaitseff
--
John Zaitseff ,--_|\ The ZAP Group
Phone: +61 2 9643 7737 / \ Sydney, Australia
E-mail: J.Zaitseff at zap.org.au \_,--._* http://www.zap.org.au/
v
-------------- next part --------------
# /etc/proftpd/proftpd.conf: ProFTPD configuration file
# [JNZ] Modified 12-Feb-2011 for ftp.zap.org.au
Include /etc/proftpd/modules.conf
ServerName "The ZAP Group FTP server"
ServerType standalone
ServerIdent on "You have reached the ZAP Group FTP Server (ftp.zap.org.au)"
DeferWelcome off
ShowSymlinks on
IdentLookups on
UseIPv6 off
Port 21
Umask 022 022
WtmpLog off
TimesGMT off
MultilineRFC2228 on
DefaultServer on
RootLogin off
RequireValidShell on
ListOptions "" maxfiles 5000 maxdepth 5
DenyFilter \*.*/
AllowOverwrite on
# Time-out values (in seconds)
TimeoutLogin 150
TimeoutStalled 1200
TimeoutIdle 1200
TimeoutNoTransfer 1200
# Maximum number of child processes for ProFTPD
MaxInstances 80
# Set the user and group that the server normally runs at.
User ftp-data
Group ftp-data
# Server administrator's e-mail address
ServerAdmin "ftpmaster at zap.org.au"
# Display login message
DisplayLogin /etc/motd
DisplayChdir .message true
# Determine what to log and where
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
ExtendedLog /var/log/ftp.log auth,read,write,misc
# Delay module enabled for security
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
# Modules for controlling ProFTPd using ftp
<IfModule mod_ctrls.c>
ControlsEngine off
# ControlsEngine on
# ControlsMaxClients 2
# ControlsLog /var/log/proftpd/controls.log
# ControlsInterval 5
# ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
# AdminControlsEngine on
</IfModule>
# SSL/TLS is currently disabled
<IfModule mod_tls.c>
TLSEngine off
</IfModule>
##############################################################################
# Ordinary FTP access
# Allow ordinary FTP only from certain hosts
# By default, forbid ordinary FTP access
<Limit LOGIN>
Order allow,deny
# Allow 127.0.0.0/8
# Allow 129.94.172.224
Deny all
</Limit>
<Directory /*>
Umask 022 022
AllowOverwrite on
</Directory>
##############################################################################
# Anonymous FTP access
<Anonymous ~ftp/doc>
# Note that we cannot use "ftp" as the user or group, as that is a real
# user, owning all of the anonymous ftp files.
User ftp-data
Group ftp-data
UserAlias ftp ftp-data
UserAlias anonymous ftp-data
RequireValidShell off
MaxClients 75 "Sorry, a maximum of %m users are already connected. Please try again later."
<Limit LOGIN>
AllowAll
</Limit>
# Display various messages at login, logout and chdir
# Note that "/" really means "/data/ftp/doc/" in this context.
DisplayLogin /welcome.msg
# DisplayQuit /goodbye.msg
DisplayChdir .message true
DisplayReadme README
# Make all files appear as if they are owned by the ftp user
DirFakeUser on
DirFakeGroup on
DirFakeMode 0444
# Hide files owned by root or with a group of root or adm
HideUser root
HideGroup root
HideGroup adm
HideNoAccess on
<Limit ALL>
IgnoreHidden on
</Limit>
# Determine which filenames are allowable
PathAllowFilter ".*/[a-zA-Z0-9._]+$"
PathDenyFilter "(\.ftpaccess)|(\.htaccess)"
# Limit writes everywhere in the anonymous directories
<Directory *>
<Limit WRITE>
DenyAll
</Limit>
</Directory>
# Create a write-only incoming directory. Disabled for the time being.
# If this directory is created, ensure that the group owner is ftp-data,
# with group write enabled.
#
#<Directory incoming>
# <Limit READ WRITE RMD DELE MKD>
# DenyAll
# </Limit>
# <Limit STOR CWD>
# AllowOverwrite off
# AllowAll
# </Limit>
#</Directory>
</Anonymous>
-------------- next part --------------
#
# This file is used to manage DSO modules and features.
# [JNZ] Modified 12-Feb-2011 for ftp.zap.org.au
#
# This is the directory where DSO modules reside
ModulePath /usr/lib/proftpd
# Allow only user root to load and unload modules, but allow everyone
# to see which modules have been loaded
ModuleControlsACLs insmod,rmmod allow user root
ModuleControlsACLs lsmod allow user *
LoadModule mod_ctrls_admin.c
#LoadModule mod_tls.c
# Install one of proftpd-mod-mysql, proftpd-mod-pgsql or any other
# SQL backend engine to use this module and the required backend.
# This module must be mandatory loaded before anyone of
# the existent SQL backeds.
#LoadModule mod_sql.c
# Install proftpd-mod-ldap to use this
#LoadModule mod_ldap.c
#
# 'SQLBackend mysql' or 'SQLBackend postgres' (or any other valid backend) directives
# are required to have SQL authorization working. You can also comment out the
# unused module here, in alternative.
#
# Install proftpd-mod-mysql and decomment the previous
# mod_sql.c module to use this.
#LoadModule mod_sql_mysql.c
# Install proftpd-mod-pgsql and decomment the previous
# mod_sql.c module to use this.
#LoadModule mod_sql_postgres.c
# Install proftpd-mod-sqlite and decomment the previous
# mod_sql.c module to use this
#LoadModule mod_sql_sqlite.c
# Install proftpd-mod-odbc and decomment the previous
# mod_sql.c module to use this
#LoadModule mod_sql_odbc.c
# Install one of the previous SQL backends and decomment
# the previous mod_sql.c module to use this
#LoadModule mod_sql_passwd.c
#LoadModule mod_radius.c
#LoadModule mod_quotatab.c
#LoadModule mod_quotatab_file.c
# Install proftpd-mod-ldap to use this
#LoadModule mod_quotatab_ldap.c
# Install one of the previous SQL backends and decomment
# the previous mod_sql.c module to use this
#LoadModule mod_quotatab_sql.c
#LoadModule mod_quotatab_radius.c
LoadModule mod_wrap.c
#LoadModule mod_rewrite.c
#LoadModule mod_load.c
#LoadModule mod_ban.c
#LoadModule mod_wrap2.c
#LoadModule mod_wrap2_file.c
# Install one of the previous SQL backends and decomment
# the previous mod_sql.c module to use this
#LoadModule mod_wrap2_sql.c
#LoadModule mod_dynmasq.c
#LoadModule mod_vroot.c
#LoadModule mod_exec.c
#LoadModule mod_shaper.c
#LoadModule mod_ratio.c
LoadModule mod_site_misc.c
#LoadModule mod_sftp.c
#LoadModule mod_sftp_pam.c
# Install one of the previous SQL backends and decomment
# the previous mod_sql.c module to use this
#LoadModule mod_sftp_sql.c
#LoadModule mod_facl.c
LoadModule mod_unique_id.c
# keep this module the last one
LoadModule mod_ifsession.c
More information about the Pkg-proftpd-maintainers
mailing list