several problems trying to run ftp using vsftpd

I'm setting up my PC to use Kubuntu, a derivative of Debian.
I've installed vsftpd as the ftp daemon and I'm having difficulties.
I've read what documentation I can find on vsftpd. The FAQ helped
me solve a few issues, but I'm hardly at full service with ftp.
I'd like to be able to support both anonymous and local user access.

I'm running Kubuntu 10.5.

I've been able to ftp to the host pc as 'anonymous' and I can 'get'
a file from the server.


If I do an 'ls -ld' of the ftp directory, I get:

> dr-xrwxrwx 2 root nogroup 4096 2006-06-07 22:55 ftp

The entries in my vsftpd.conf file are:

> listen=YES
> anonymous_enable=YES
> local_enable=YES
> write_enable=YES
> anon_upload_enable=YES
> dirmessage_enable=YES
> xferlog_enable=YES
> connect_from_port_20=YES
> secure_chroot_dir=/var/run/vsftpd
> pam_service_name=vsftpd
> rsa_cert_file=/etc/ssl/certs/vsftpd.pem
> anon_root=/path_to_my_ftp_directory/ftp


I checked and PAM is linked in using 'libpam.so.0', but I
would think that as an anonymous user, PAM would not be
the problem since there should not be any authentication
going on.

On the vsftpd sight it mentions installing a vsftpd file
in pam.d. I checked the /etc/pam.d directory and the vsftpd
file from the original installation is there. I can only
guess that this file is ok, but I don't know.

I checked the /etc/shells directory and the login shell used
by the local user id that I'm using for ftp is in the file.


PROBLEM 1 - As 'anonymous', when I try to 'put' to the server, I
get the following error message:

> ftp> passive
> Passive mode on.
> ftp> put t.txt
> local: t.txt remote: t.txt
> 227 Entering Passive Mode (192,168,1,109,206,149)
> 550 Permission denied.

PROBLEM 2: When I try to use an ftp client to access my
ftp server as a local user, I get the following error:

> ftp 192.168.1.109
> Connected to 192.168.1.109.
> 220 (vsFTPd 2.0.3)
> Name (192.168.1.109:jja): jja
> 530 This FTP server is anonymous only.
> Login failed.


Does anyone have any suggestions on solving these two problems?

Thanks in advance.

Jim Anderson

Jim Anderson <(E-Mail Removed)> writes:


>I'm setting up my PC to use Kubuntu, a derivative of Debian.
>I've installed vsftpd as the ftp daemon and I'm having difficulties.
>I've read what documentation I can find on vsftpd. The FAQ helped
>me solve a few issues, but I'm hardly at full service with ftp.
>I'd like to be able to support both anonymous and local user access.

>I'm running Kubuntu 10.5.

>I've been able to ftp to the host pc as 'anonymous' and I can 'get'
>a file from the server.

Good, you have it running.



>If I do an 'ls -ld' of the ftp directory, I get:

> > dr-xrwxrwx 2 root nogroup 4096 2006-06-07 22:55 ftp

Yes. what is the problem? Mind you I would NOT have it rw or script kiddies
will fill it with porn to share with others.
Also make it owned by ftp not root.
( and why you would let everyone else, but not root write into that
directory is beyond me.)



>The entries in my vsftpd.conf file are:

> > listen=YES
> > anonymous_enable=YES
> > local_enable=YES
> > write_enable=YES

?? why?

> > anon_upload_enable=YES

Separate out your
> > dirmessage_enable=YES
> > xferlog_enable=YES
> > connect_from_port_20=YES
> > secure_chroot_dir=/var/run/vsftpd
> > pam_service_name=vsftpd
> > rsa_cert_file=/etc/ssl/certs/vsftpd.pem
> > anon_root=/path_to_my_ftp_directory/ftp


>I checked and PAM is linked in using 'libpam.so.0', but I
>would think that as an anonymous user, PAM would not be
>the problem since there should not be any authentication
>going on.


>On the vsftpd sight it mentions installing a vsftpd file
>in pam.d. I checked the /etc/pam.d directory and the vsftpd
>file from the original installation is there. I can only
>guess that this file is ok, but I don't know.

Why don't you post it?


>I checked the /etc/shells directory and the login shell used
>by the local user id that I'm using for ftp is in the file.


>PROBLEM 1 - As 'anonymous', when I try to 'put' to the server, I
>get the following error message:

> > ftp> passive
> > Passive mode on.

Why passive mode?

> > ftp> put t.txt
> > local: t.txt remote: t.txt
> > 227 Entering Passive Mode (192,168,1,109,206,149)
> > 550 Permission denied.

>PROBLEM 2: When I try to use an ftp client to access my
>ftp server as a local user, I get the following error:

> > ftp 192.168.1.109
> > Connected to 192.168.1.109.
> > 220 (vsFTPd 2.0.3)
> > Name (192.168.1.109:jja): jja
> > 530 This FTP server is anonymous only.
> > Login failed.

Yes, you have only set it up for annonymous. What do you think pam
authentication is used for?




>Does anyone have any suggestions on solving these two problems?

Anyway, you have to have an ftp user defined in /etc/passwd, with home
directory being the ftp home.

That is the top directoy. It should be owned by ftp, and should NOT be
writeable by ftp.
Then I have three directories.
bin, outgoing and incoming. All are owned by ftp. One is bin, which
contains a statically linked version of ls,
One is incoming which has permissions -wxr-sr-x
which allows anonymous users to write to that file, but not to read it.
One is outgoing, which has persmissions r-xr-xrwx
which allows anonymous users to read it, but not write to it.
This makes sure that it will not be used as a repository for people to
trade stuff on.
If you do not mind, then have one directory, say pub, which is owned by
ftp, and has rwxrwxrwx permissions.

Also why do you have chroot. Remember that a chroot cannot see outside the
jail NOTHING on the rest of your computer is accessible. Not pam, not
/etc/passwd, not /etc/shadow, nothing. So I suspect that you ahve no way of
authenticating users whom you are chrooting. IF you want people kept in the
ftp directory, only allow annonymous. The whole reason for allowing people
to ftp in as users is to give them access to the computer.
If they are all treated as if they were an annonymous user, then there is
no point.

Unruh wrote:
> Jim Anderson <(E-Mail Removed)> writes:
>
>
>
>>I'm setting up my PC to use Kubuntu, a derivative of Debian.
>>I've installed vsftpd as the ftp daemon and I'm having difficulties.
>>I've read what documentation I can find on vsftpd. The FAQ helped
>>me solve a few issues, but I'm hardly at full service with ftp.
>>I'd like to be able to support both anonymous and local user access.
>
>
>>I'm running Kubuntu 10.5.
>
>
>>I've been able to ftp to the host pc as 'anonymous' and I can 'get'
>>a file from the server.
>
>
> Good, you have it running.
>
>
>
>
>>If I do an 'ls -ld' of the ftp directory, I get:
>
>
>>>dr-xrwxrwx 2 root nogroup 4096 2006-06-07 22:55 ftp
>
>
> Yes. what is the problem? Mind you I would NOT have it rw or script kiddies
> will fill it with porn to share with others.
> Also make it owned by ftp not root.
> ( and why you would let everyone else, but not root write into that
> directory is beyond me.)

No problem here - I was just explaining the environment. I had root set
to r-x, because that was what I read in the vsftpd FAQ as a way to fix
the problem with the message, "refusing to run with writable anonymous
root". Prior to changing from rwx to r-x, I could not ftp anything.
I've already read the rest of your email and now I understand that the
'ftp' id should be used.

>
>
>
>
>>The entries in my vsftpd.conf file are:
>
>
>>>listen=YES
>>>anonymous_enable=YES
>>>local_enable=YES
>>>write_enable=YES
>
>
> ?? why?

Because I'm experitmenting at this point. I'm pretty ignorant about ftp
administration and the administration documentation that I've found so
far is pretty sparse or didn't make sense to me.

>
>
>>>anon_upload_enable=YES
>
>
> Separate out your

I'm not sure what your comment meant here. Did it get truncated?

>
>>>dirmessage_enable=YES
>>>xferlog_enable=YES
>>>connect_from_port_20=YES
>>>secure_chroot_dir=/var/run/vsftpd
>>>pam_service_name=vsftpd
>>>rsa_cert_file=/etc/ssl/certs/vsftpd.pem
>>>anon_root=/path_to_my_ftp_directory/ftp
>
>
>
>>I checked and PAM is linked in using 'libpam.so.0', but I
>>would think that as an anonymous user, PAM would not be
>>the problem since there should not be any authentication
>>going on.
>
>
>
>>On the vsftpd sight it mentions installing a vsftpd file
>>in pam.d. I checked the /etc/pam.d directory and the vsftpd
>>file from the original installation is there. I can only
>>guess that this file is ok, but I don't know.
>
>
> Why don't you post it?

Here it is:

------------------ pam.d/vsftpd file starts here ---------------

# Standard behaviour for ftpd(8).
auth required pam_listfile.so item=user sense=deny
file=/etc/ftpusers onerr=succeed

# Note: vsftpd handles anonymous logins on its own. Do not enable
# pam_ftp.so.

# Standard blurb.
@include common-account
@include common-session

@include common-auth
auth required pam_shells.so

------------------ pam.d/vsftpd file ends here ---------------


>
>
>
>>I checked the /etc/shells directory and the login shell used
>>by the local user id that I'm using for ftp is in the file.
>
>
>
>>PROBLEM 1 - As 'anonymous', when I try to 'put' to the server, I
>>get the following error message:
>
>
>>>ftp> passive
>>>Passive mode on.
>
>
> Why passive mode?

When I first tried to use ftp from my client to 'get' a file
anonymously, it would not transfer and it said I should use passive
mode. I tried passive mode and it worked.

It seems to me a program smart enough to recommend switching to passive
mode would have automatically switched. Strange.

>
>
>>>ftp> put t.txt
>>>local: t.txt remote: t.txt
>>>227 Entering Passive Mode (192,168,1,109,206,149)
>>>550 Permission denied.
>
>
>>PROBLEM 2: When I try to use an ftp client to access my
>>ftp server as a local user, I get the following error:
>
>
>>>ftp 192.168.1.109
>>>Connected to 192.168.1.109.
>>>220 (vsFTPd 2.0.3)
>>>Name (192.168.1.109:jja): jja
>>>530 This FTP server is anonymous only.
>>>Login failed.
>
>
> Yes, you have only set it up for annonymous. What do you think pam
> authentication is used for?

I think PAM authentication is linked in so that ftp will use the
sites choosen authentication methocology. For example, if I'm using
kerberos for authentication and PAM is linked into ftp, then when
a user performs an ftp logon, ftp will route the authentication
through kerberos. I'm just using standard passwd file authentication,
so I don't think I'm getting any benefit from PAM.

>
>
>
>
>
>>Does anyone have any suggestions on solving these two problems?
>
>
> Anyway, you have to have an ftp user defined in /etc/passwd, with home
> directory being the ftp home.
>
> That is the top directoy. It should be owned by ftp, and should NOT be
> writeable by ftp.

If the directory is not writable by 'ftp', how do files get written
into the directory? Does the ftp daemon run with an effective id of root?

> Then I have three directories.
> bin, outgoing and incoming. All are owned by ftp. One is bin, which
> contains a statically linked version of ls,
> One is incoming which has permissions -wxr-sr-x
> which allows anonymous users to write to that file, but not to read it.
> One is outgoing, which has persmissions r-xr-xrwx
> which allows anonymous users to read it, but not write to it.
> This makes sure that it will not be used as a repository for people to
> trade stuff on.
> If you do not mind, then have one directory, say pub, which is owned by
> ftp, and has rwxrwxrwx permissions.
>
> Also why do you have chroot. Remember that a chroot cannot see outside the
> jail NOTHING on the rest of your computer is accessible. Not pam, not
> /etc/passwd, not /etc/shadow, nothing. So I suspect that you ahve no way of
> authenticating users whom you are chrooting. IF you want people kept in the
> ftp directory, only allow annonymous. The whole reason for allowing people
> to ftp in as users is to give them access to the computer.
> If they are all treated as if they were an annonymous user, then there is
> no point.
>
>

I don't think I have chroot enabled. The
'secure_chroot_dir=/var/run/vsftpd' statement
is the default setting from the /etc/vsftpd.conf
file on my syste. From what I have read, this defines the
'jail' directory should chroot be used. At this time, I'm
not using chroot, so I don't need this statement.






Thank you for you comments. I learned a lot from your description of the
directories and their permissions.

Regards,
Jim Anderson

On Thu, 8 Jun 2006, Jim Anderson wrote:

> Unruh wrote:
>> Jim Anderson <(E-Mail Removed)> writes:
>>
>>
>>
>>> I'm setting up my PC to use Kubuntu, a derivative of Debian.
>>> I've installed vsftpd as the ftp daemon and I'm having difficulties.
>>> I've read what documentation I can find on vsftpd. The FAQ helped
>>> me solve a few issues, but I'm hardly at full service with ftp.
>>> I'd like to be able to support both anonymous and local user access.
>>
>>
>>> I'm running Kubuntu 10.5.
>>
>>
>>> I've been able to ftp to the host pc as 'anonymous' and I can 'get'
>>> a file from the server.
>>
>>
>> Good, you have it running.
>>
>>
>>
>>
>>> If I do an 'ls -ld' of the ftp directory, I get:
>>
>>
>>>> dr-xrwxrwx 2 root nogroup 4096 2006-06-07 22:55 ftp
>>
>>
>> Yes. what is the problem? Mind you I would NOT have it rw or script kiddies
>> will fill it with porn to share with others.
>> Also make it owned by ftp not root.
>> ( and why you would let everyone else, but not root write into that
>> directory is beyond me.)
>
> No problem here - I was just explaining the environment. I had root set
> to r-x, because that was what I read in the vsftpd FAQ as a way to fix
> the problem with the message, "refusing to run with writable anonymous root".
> Prior to changing from rwx to r-x, I could not ftp anything.
> I've already read the rest of your email and now I understand that the
> 'ftp' id should be used.

Yes, anonymous root is the root filesystem of the anonymous user-- the home
directory of the ftp directory.
It should be owned by ftp (assuming your vsftp is running as user ftp)

>
>>
>>
>>
>>
>>> The entries in my vsftpd.conf file are:
>>
>>
>>>> listen=YES
>>>> anonymous_enable=YES
>>>> local_enable=YES
>>>> write_enable=YES
>>
>>
>> ?? why?
>
> Because I'm experitmenting at this point. I'm pretty ignorant about ftp
> administration and the administration documentation that I've found so far is
> pretty sparse or didn't make sense to me.
>
>>
>>
>>>> anon_upload_enable=YES
>>
>>
>> Separate out your
>
> I'm not sure what your comment meant here. Did it get truncated?
>
>>
>>>> dirmessage_enable=YES
>>>> xferlog_enable=YES
>>>> connect_from_port_20=YES
>>>> secure_chroot_dir=/var/run/vsftpd
>>>> pam_service_name=vsftpd
>>>> rsa_cert_file=/etc/ssl/certs/vsftpd.pem
>>>> anon_root=/path_to_my_ftp_directory/ftp
>>
>>
>>
>>> I checked and PAM is linked in using 'libpam.so.0', but I
>>> would think that as an anonymous user, PAM would not be
>>> the problem since there should not be any authentication
>>> going on.
>>
>>
>>
>>> On the vsftpd sight it mentions installing a vsftpd file
>>> in pam.d. I checked the /etc/pam.d directory and the vsftpd
>>> file from the original installation is there. I can only
>>> guess that this file is ok, but I don't know.
>>
>>
>> Why don't you post it?
>
> Here it is:
>
> ------------------ pam.d/vsftpd file starts here ---------------
>
> # Standard behaviour for ftpd(8).
> auth required pam_listfile.so item=user sense=deny
> file=/etc/ftpusers onerr=succeed
>
> # Note: vsftpd handles anonymous logins on its own. Do not enable
> # pam_ftp.so.
>
> # Standard blurb.
> @include common-account
> @include common-session
>
> @include common-auth
> auth required pam_shells.so
>
> ------------------ pam.d/vsftpd file ends here ---------------
>
>
OK, this means that any users listed in /etc/ftpusers will NOT be allowed
to ftp in. Do you have common-account, common-session common-auth files in
your /etc/pam.d directory?
It is not clear why shells should be there ar all. You should not be
allowing the running of commands anyway from ftp.

>>
>>
>>
>>> I checked the /etc/shells directory and the login shell used
>>> by the local user id that I'm using for ftp is in the file.
>>
>>
>>
>>> PROBLEM 1 - As 'anonymous', when I try to 'put' to the server, I
>>> get the following error message:
>>
>>
>>>> ftp> passive
>>>> Passive mode on.
>>
>>
>> Why passive mode?
>
> When I first tried to use ftp from my client to 'get' a file
> anonymously, it would not transfer and it said I should use passive mode. I
> tried passive mode and it worked.
>
> It seems to me a program smart enough to recommend switching to passive
> mode would have automatically switched. Strange.

No. You might want it to behave that way.

>
>>
>>
>>>> ftp> put t.txt
>>>> local: t.txt remote: t.txt
>>>> 227 Entering Passive Mode (192,168,1,109,206,149)
>>>> 550 Permission denied.
>>
>>
>>> PROBLEM 2: When I try to use an ftp client to access my
>>> ftp server as a local user, I get the following error:
>>
>>
>>>> ftp 192.168.1.109
>>>> Connected to 192.168.1.109.
>>>> 220 (vsFTPd 2.0.3)
>>>> Name (192.168.1.109:jja): jja
>>>> 530 This FTP server is anonymous only.
>>>> Login failed.
>>
>>
>> Yes, you have only set it up for annonymous. What do you think pam
>> authentication is used for?
>
> I think PAM authentication is linked in so that ftp will use the
> sites choosen authentication methocology. For example, if I'm using
> kerberos for authentication and PAM is linked into ftp, then when
> a user performs an ftp logon, ftp will route the authentication
> through kerberos. I'm just using standard passwd file authentication,
> so I don't think I'm getting any benefit from PAM.

pam is what is telling your system how to authenticate, whichusers are
allowed to ftp in, which shells, etc.

>
>>
>>
>>
>>
>>
>>> Does anyone have any suggestions on solving these two problems?
>>
>>
>> Anyway, you have to have an ftp user defined in /etc/passwd, with home
>> directory being the ftp home.
>>
>> That is the top directoy. It should be owned by ftp, and should NOT be
>> writeable by ftp.
>
> If the directory is not writable by 'ftp', how do files get written
> into the directory? Does the ftp daemon run with an effective id of root?

They do not and should not. Nothing should be able to write into the top
directory. Allow them to write into some specific subdirectory.


>
>> Then I have three directories.
>> bin, outgoing and incoming. All are owned by ftp. One is bin, which
>> contains a statically linked version of ls, One is incoming which has
>> permissions -wxr-sr-x
>> which allows anonymous users to write to that file, but not to read it.
>> One is outgoing, which has persmissions r-xr-xrwx
>> which allows anonymous users to read it, but not write to it. This makes
>> sure that it will not be used as a repository for people to
>> trade stuff on.
>> If you do not mind, then have one directory, say pub, which is owned by
>> ftp, and has rwxrwxrwx permissions.
>>
>> Also why do you have chroot. Remember that a chroot cannot see outside the
>> jail NOTHING on the rest of your computer is accessible. Not pam, not
>> /etc/passwd, not /etc/shadow, nothing. So I suspect that you ahve no way of
>> authenticating users whom you are chrooting. IF you want people kept in the
>> ftp directory, only allow annonymous. The whole reason for allowing people
>> to ftp in as users is to give them access to the computer.
>> If they are all treated as if they were an annonymous user, then there is
>> no point.
>>
>
> I don't think I have chroot enabled. The
> 'secure_chroot_dir=/var/run/vsftpd' statement
> is the default setting from the /etc/vsftpd.conf
> file on my syste. From what I have read, this defines the
> 'jail' directory should chroot be used. At this time, I'm
> not using chroot, so I don't need this statement.
>
>
>
>
>
>
> Thank you for you comments. I learned a lot from your description of the
> directories and their permissions.
>
> Regards,
> Jim Anderson
>

--
William G. Unruh | Canadian Institute for| Tel: +1(604)822-3273
Physics&Astronomy | Advanced Research | Fax: +1(604)822-5324
UBC, Vancouver,BC | Program in Cosmology | (E-Mail Removed)
Canada V6T 1Z1 | and Gravity | www.theory.physics.ubc.ca/

I have set up the ftp directory with subdirectories and
permissions suggested. When I test out ftp, I have identical
results: 1) I can 'get', but not 'put' as anonymous, and 2)
I cannot login at the ftp prompt. I get the message:

> 530 This FTP server is anonymous only.
> Login failed.





Unruh wrote:
> Jim Anderson <(E-Mail Removed)> writes:
>
>
>
>>I'm setting up my PC to use Kubuntu, a derivative of Debian.
>>I've installed vsftpd as the ftp daemon and I'm having difficulties.
>>I've read what documentation I can find on vsftpd. The FAQ helped
>>me solve a few issues, but I'm hardly at full service with ftp.
>>I'd like to be able to support both anonymous and local user access.
>
>
>>I'm running Kubuntu 10.5.
>
>
>>I've been able to ftp to the host pc as 'anonymous' and I can 'get'
>>a file from the server.
>
>
> Good, you have it running.
>
>
>
>
>>If I do an 'ls -ld' of the ftp directory, I get:
>
>
>>>dr-xrwxrwx 2 root nogroup 4096 2006-06-07 22:55 ftp
>
>
> Yes. what is the problem? Mind you I would NOT have it rw or script kiddies
> will fill it with porn to share with others.
> Also make it owned by ftp not root.
> ( and why you would let everyone else, but not root write into that
> directory is beyond me.)
>
>
>
>
>>The entries in my vsftpd.conf file are:
>
>
>>>listen=YES
>>>anonymous_enable=YES
>>>local_enable=YES
>>>write_enable=YES
>
>
> ?? why?
>
>
>>>anon_upload_enable=YES
>
>
> Separate out your
>
>>>dirmessage_enable=YES
>>>xferlog_enable=YES
>>>connect_from_port_20=YES
>>>secure_chroot_dir=/var/run/vsftpd
>>>pam_service_name=vsftpd
>>>rsa_cert_file=/etc/ssl/certs/vsftpd.pem
>>>anon_root=/path_to_my_ftp_directory/ftp
>
>
>
>>I checked and PAM is linked in using 'libpam.so.0', but I
>>would think that as an anonymous user, PAM would not be
>>the problem since there should not be any authentication
>>going on.
>
>
>
>>On the vsftpd sight it mentions installing a vsftpd file
>>in pam.d. I checked the /etc/pam.d directory and the vsftpd
>>file from the original installation is there. I can only
>>guess that this file is ok, but I don't know.
>
>
> Why don't you post it?
>
>
>
>>I checked the /etc/shells directory and the login shell used
>>by the local user id that I'm using for ftp is in the file.
>
>
>
>>PROBLEM 1 - As 'anonymous', when I try to 'put' to the server, I
>>get the following error message:
>
>
>>>ftp> passive
>>>Passive mode on.
>
>
> Why passive mode?
>
>
>>>ftp> put t.txt
>>>local: t.txt remote: t.txt
>>>227 Entering Passive Mode (192,168,1,109,206,149)
>>>550 Permission denied.
>
>
>>PROBLEM 2: When I try to use an ftp client to access my
>>ftp server as a local user, I get the following error:
>
>
>>>ftp 192.168.1.109
>>>Connected to 192.168.1.109.
>>>220 (vsFTPd 2.0.3)
>>>Name (192.168.1.109:jja): jja
>>>530 This FTP server is anonymous only.
>>>Login failed.
>
>
> Yes, you have only set it up for annonymous. What do you think pam
> authentication is used for?
>
>
>
>
>
>>Does anyone have any suggestions on solving these two problems?
>
>
> Anyway, you have to have an ftp user defined in /etc/passwd, with home
> directory being the ftp home.
>
> That is the top directoy. It should be owned by ftp, and should NOT be
> writeable by ftp.
> Then I have three directories.
> bin, outgoing and incoming. All are owned by ftp. One is bin, which
> contains a statically linked version of ls,
> One is incoming which has permissions -wxr-sr-x
> which allows anonymous users to write to that file, but not to read it.
> One is outgoing, which has persmissions r-xr-xrwx
> which allows anonymous users to read it, but not write to it.
> This makes sure that it will not be used as a repository for people to
> trade stuff on.
> If you do not mind, then have one directory, say pub, which is owned by
> ftp, and has rwxrwxrwx permissions.
>
> Also why do you have chroot. Remember that a chroot cannot see outside the
> jail NOTHING on the rest of your computer is accessible. Not pam, not
> /etc/passwd, not /etc/shadow, nothing. So I suspect that you ahve no way of
> authenticating users whom you are chrooting. IF you want people kept in the
> ftp directory, only allow annonymous. The whole reason for allowing people
> to ftp in as users is to give them access to the computer.
> If they are all treated as if they were an annonymous user, then there is
> no point.
>
>

Bill,

Thanks again for your input. My comments are embedded below. I'd
particularly like you comment on the 'running as ftp' issue.

As yet, I still can't really use ftp, but I feel like I'm getting
close.

Jim


Bill Unruh wrote:
> On Thu, 8 Jun 2006, Jim Anderson wrote:
>
>> Unruh wrote:
>>
>>> Jim Anderson <(E-Mail Removed)> writes:
>>>
>>>
>>>
>>>> I'm setting up my PC to use Kubuntu, a derivative of Debian.
>>>> I've installed vsftpd as the ftp daemon and I'm having difficulties.
>>>> I've read what documentation I can find on vsftpd. The FAQ helped
>>>> me solve a few issues, but I'm hardly at full service with ftp.
>>>> I'd like to be able to support both anonymous and local user access.
>>>
>>>
>>>
>>>> I'm running Kubuntu 10.5.
>>>
>>>
>>>
>>>> I've been able to ftp to the host pc as 'anonymous' and I can 'get'
>>>> a file from the server.
>>>
>>>
>>>
>>> Good, you have it running.
>>>
>>>
>>>
>>>
>>>> If I do an 'ls -ld' of the ftp directory, I get:
>>>
>>>
>>>
>>>>> dr-xrwxrwx 2 root nogroup 4096 2006-06-07 22:55 ftp
>>>
>>>
>>>
>>> Yes. what is the problem? Mind you I would NOT have it rw or script
>>> kiddies
>>> will fill it with porn to share with others.
>>> Also make it owned by ftp not root.
>>> ( and why you would let everyone else, but not root write into that
>>> directory is beyond me.)
>>
>>
>> No problem here - I was just explaining the environment. I had root set
>> to r-x, because that was what I read in the vsftpd FAQ as a way to fix
>> the problem with the message, "refusing to run with writable anonymous
>> root". Prior to changing from rwx to r-x, I could not ftp anything.
>> I've already read the rest of your email and now I understand that the
>> 'ftp' id should be used.
>
>
> Yes, anonymous root is the root filesystem of the anonymous user-- the home
> directory of the ftp directory. It should be owned by ftp (assuming your
> vsftp is running as user ftp)

This looks like a problem to me. The 'vsftpd' daemon is running as root,
not ftp. The daemon starts up when the PC is booted and I assumed it
would run under the correct id.

I'm not sure how to change this. I experimented with signing on as root
id, then doing and 'su ftp'. A new shell started, but when I did
'whoami', it said root. If I create a file from that shell, the owner is
root, not ftp. And if I run a program in that shell and run 'ps -elf',
the process is being run by root, not ftp. Do you know how to fix this?


>
>>
>>>
>>>
>>>
>>>
>>>> The entries in my vsftpd.conf file are:
>>>
>>>
>>>
>>>>> listen=YES
>>>>> anonymous_enable=YES
>>>>> local_enable=YES
>>>>> write_enable=YES
>>>
>>>
>>>
>>> ?? why?
>>
>>
>> Because I'm experitmenting at this point. I'm pretty ignorant about
>> ftp administration and the administration documentation that I've
>> found so far is pretty sparse or didn't make sense to me.
>>
>>>
>>>
>>>>> anon_upload_enable=YES
>>>
>>>
>>>
>>> Separate out your
>>
>>
>> I'm not sure what your comment meant here. Did it get truncated?
>>
>>>
>>>>> dirmessage_enable=YES
>>>>> xferlog_enable=YES
>>>>> connect_from_port_20=YES
>>>>> secure_chroot_dir=/var/run/vsftpd
>>>>> pam_service_name=vsftpd
>>>>> rsa_cert_file=/etc/ssl/certs/vsftpd.pem
>>>>> anon_root=/path_to_my_ftp_directory/ftp
>>>
>>>
>>>
>>>
>>>> I checked and PAM is linked in using 'libpam.so.0', but I
>>>> would think that as an anonymous user, PAM would not be
>>>> the problem since there should not be any authentication
>>>> going on.
>>>
>>>
>>>
>>>
>>>> On the vsftpd sight it mentions installing a vsftpd file
>>>> in pam.d. I checked the /etc/pam.d directory and the vsftpd
>>>> file from the original installation is there. I can only
>>>> guess that this file is ok, but I don't know.
>>>
>>>
>>>
>>> Why don't you post it?
>>
>>
>> Here it is:
>>
>> ------------------ pam.d/vsftpd file starts here ---------------
>>
>> # Standard behaviour for ftpd(8).
>> auth required pam_listfile.so item=user sense=deny
>> file=/etc/ftpusers onerr=succeed
>>
>> # Note: vsftpd handles anonymous logins on its own. Do not enable
>> # pam_ftp.so.
>>
>> # Standard blurb.
>> @include common-account
>> @include common-session
>>
>> @include common-auth
>> auth required pam_shells.so
>>
>> ------------------ pam.d/vsftpd file ends here ---------------
>>
>>
> OK, this means that any users listed in /etc/ftpusers will NOT be allowed
> to ftp in. Do you have common-account, common-session common-auth files in
> your /etc/pam.d directory?
> It is not clear why shells should be there ar all. You should not be
> allowing the running of commands anyway from ftp.

The /etc/ftpusers file contains:

root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
nobody
--------- end of ftpusers file ------

The 3 other files all exist and they follow also:

------------- start common-account ---------

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
account required pam_unix.so
------------- end common-account ---------

------------- start common-session ---------


# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive). The default is pam_unix.
#
session required pam_unix.so

------------ end common-session ----------

------------- start common-auth ---------
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_unix.so nullok_secure

------------- end common-auth ---------








>
>>>
>>>
>>>
>>>> I checked the /etc/shells directory and the login shell used
>>>> by the local user id that I'm using for ftp is in the file.
>>>
>>>
>>>
>>>
>>>> PROBLEM 1 - As 'anonymous', when I try to 'put' to the server, I
>>>> get the following error message:
>>>
>>>
>>>
>>>>> ftp> passive
>>>>> Passive mode on.
>>>
>>>
>>>
>>> Why passive mode?
>>
>>
>> When I first tried to use ftp from my client to 'get' a file
>> anonymously, it would not transfer and it said I should use passive
>> mode. I tried passive mode and it worked.
>>
>> It seems to me a program smart enough to recommend switching to passive
>> mode would have automatically switched. Strange.
>
>
> No. You might want it to behave that way.

Yes, possibly.

>
>>
>>>
>>>
>>>>> ftp> put t.txt
>>>>> local: t.txt remote: t.txt
>>>>> 227 Entering Passive Mode (192,168,1,109,206,149)
>>>>> 550 Permission denied.
>>>
>>>
>>>
>>>> PROBLEM 2: When I try to use an ftp client to access my
>>>> ftp server as a local user, I get the following error:
>>>
>>>
>>>
>>>>> ftp 192.168.1.109
>>>>> Connected to 192.168.1.109.
>>>>> 220 (vsFTPd 2.0.3)
>>>>> Name (192.168.1.109:jja): jja
>>>>> 530 This FTP server is anonymous only.
>>>>> Login failed.
>>>
>>>
>>>
>>> Yes, you have only set it up for annonymous. What do you think pam
>>> authentication is used for?
>>
>>
>> I think PAM authentication is linked in so that ftp will use the
>> sites choosen authentication methocology. For example, if I'm using
>> kerberos for authentication and PAM is linked into ftp, then when
>> a user performs an ftp logon, ftp will route the authentication
>> through kerberos. I'm just using standard passwd file authentication,
>> so I don't think I'm getting any benefit from PAM.
>
>
> pam is what is telling your system how to authenticate, whichusers are
> allowed to ftp in, which shells, etc.
>
>>
>>>
>>>
>>>
>>>
>>>
>>>> Does anyone have any suggestions on solving these two problems?
>>>
>>>
>>>
>>> Anyway, you have to have an ftp user defined in /etc/passwd, with home
>>> directory being the ftp home.
>>>
>>> That is the top directoy. It should be owned by ftp, and should NOT be
>>> writeable by ftp.
>>
>>
>> If the directory is not writable by 'ftp', how do files get written
>> into the directory? Does the ftp daemon run with an effective id of root?
>
>
> They do not and should not. Nothing should be able to write into the top
> directory. Allow them to write into some specific subdirectory.


Duh! Sometimes the obvious stares us in the face.

>
>
>>
>>> Then I have three directories.
>>> bin, outgoing and incoming. All are owned by ftp. One is bin, which
>>> contains a statically linked version of ls, One is incoming which has
>>> permissions -wxr-sr-x
>>> which allows anonymous users to write to that file, but not to read it.
>>> One is outgoing, which has persmissions r-xr-xrwx
>>> which allows anonymous users to read it, but not write to it. This
>>> makes sure that it will not be used as a repository for people to
>>> trade stuff on.
>>> If you do not mind, then have one directory, say pub, which is owned by
>>> ftp, and has rwxrwxrwx permissions.
>>>
>>> Also why do you have chroot. Remember that a chroot cannot see
>>> outside the
>>> jail NOTHING on the rest of your computer is accessible. Not pam, not
>>> /etc/passwd, not /etc/shadow, nothing. So I suspect that you ahve no
>>> way of
>>> authenticating users whom you are chrooting. IF you want people kept
>>> in the
>>> ftp directory, only allow annonymous. The whole reason for allowing
>>> people
>>> to ftp in as users is to give them access to the computer.
>>> If they are all treated as if they were an annonymous user, then
>>> there is
>>> no point.
>>
>>
>> I don't think I have chroot enabled. The
>> 'secure_chroot_dir=/var/run/vsftpd' statement
>> is the default setting from the /etc/vsftpd.conf
>> file on my syste. From what I have read, this defines the
>> 'jail' directory should chroot be used. At this time, I'm
>> not using chroot, so I don't need this statement.
>>
>>
>>
>>
>>
>>
>> Thank you for you comments. I learned a lot from your description of the
>> directories and their permissions.
>>
>> Regards,
>> Jim Anderson
>>
>

On Fri, 9 Jun 2006, Jim Anderson wrote:

>
> Bill,
>
> Thanks again for your input. My comments are embedded below. I'd particularly
> like you comment on the 'running as ftp' issue.

Comments below.nterleaved.

>
> As yet, I still can't really use ftp, but I feel like I'm getting
> close.

By Can't use" I assume you mean as a user, not as anonymous. Anonymous
works right?
For user, you need to look at the log files
/var/log/messages, /var/log/syslog, /var/log/daemon/* to see if there is
some clue as to where the problem is. There should be and indication as to
where the refusal occured.


>o
> Jim
>
>
> Bill Unruh wrote:
>> On Thu, 8 Jun 2006, Jim Anderson wrote:
>>
>>> Unruh wrote:
>>>
>>>> Jim Anderson <(E-Mail Removed)> writes:
>>>>
>>>>
>>>>
>>>>> I'm setting up my PC to use Kubuntu, a derivative of Debian.
>>>>> I've installed vsftpd as the ftp daemon and I'm having difficulties.
>>>>> I've read what documentation I can find on vsftpd. The FAQ helped
>>>>> me solve a few issues, but I'm hardly at full service with ftp.
>>>>> I'd like to be able to support both anonymous and local user access.
>>>>
>>>>
>>>>
>>>>> I'm running Kubuntu 10.5.
>>>>
>>>>
>>>>
>>>>> I've been able to ftp to the host pc as 'anonymous' and I can 'get'
>>>>> a file from the server.
>>>>
>>>>
>>>>
>>>> Good, you have it running.
>>>>
>>>>
>>>>
>>>>
>>>>> If I do an 'ls -ld' of the ftp directory, I get:
>>>>
>>>>
>>>>
>>>>>> dr-xrwxrwx 2 root nogroup 4096 2006-06-07 22:55 ftp
>>>>
>>>>
>>>>
>>>> Yes. what is the problem? Mind you I would NOT have it rw or script
>>>> kiddies
>>>> will fill it with porn to share with others.
>>>> Also make it owned by ftp not root.
>>>> ( and why you would let everyone else, but not root write into that
>>>> directory is beyond me.)
>>>
>>>
>>> No problem here - I was just explaining the environment. I had root set
>>> to r-x, because that was what I read in the vsftpd FAQ as a way to fix
>>> the problem with the message, "refusing to run with writable anonymous
>>> root". Prior to changing from rwx to r-x, I could not ftp anything.
>>> I've already read the rest of your email and now I understand that the
>>> 'ftp' id should be used.
>>
>>
>> Yes, anonymous root is the root filesystem of the anonymous user-- the home
>> directory of the ftp directory. It should be owned by ftp (assuming your
>> vsftp is running as user ftp)
>
> This looks like a problem to me. The 'vsftpd' daemon is running as root, not
> ftp. The daemon starts up when the PC is booted and I assumed it would run
> under the correct id.

I have just checked again and I was wrong on this. vsftpd does run as root.
Thinking about it this makes sense as it is the only way it do a chroot.

However vsftpd is usually put under the control of the xinetd.d daemon.
(or inetd daemon on an old system. ) Ie, there is a file
/etc/xinetd.d/vsftpd with a disable=no line. This means that the daemon is
only run when an actual request comes in.

It changes its effective uid to ftp once it runs as annonymous. Sorry for
the confusion.

>
> I'm not sure how to change this. I experimented with signing on as root id,
> then doing and 'su ftp'. A new shell started, but when I did 'whoami', it
> said root. If I create a file from that shell, the owner is
> root, not ftp. And if I run a program in that shell and run 'ps -elf',
> the process is being run by root, not ftp. Do you know how to fix this?
>
>
>>
>>>
>>>>
>>>>
>>>>
>>>>
>>>>> The entries in my vsftpd.conf file are:
>>>>
>>>>
>>>>
>>>>>> listen=YES
>>>>>> anonymous_enable=YES
>>>>>> local_enable=YES
>>>>>> write_enable=YES
>>>>
>>>>
>>>>
>>>> ?? why?
>>>
>>>
>>> Because I'm experitmenting at this point. I'm pretty ignorant about ftp
>>> administration and the administration documentation that I've found so far
>>> is pretty sparse or didn't make sense to me.
>>>
>>>>
>>>>
>>>>>> anon_upload_enable=YES
>>>>
>>>>
>>>>
>>>> Separate out your
>>>
>>>
>>> I'm not sure what your comment meant here. Did it get truncated?
>>>
>>>>
>>>>>> dirmessage_enable=YES
>>>>>> xferlog_enable=YES
>>>>>> connect_from_port_20=YES
>>>>>> secure_chroot_dir=/var/run/vsftpd
>>>>>> pam_service_name=vsftpd
>>>>>> rsa_cert_file=/etc/ssl/certs/vsftpd.pem
>>>>>> anon_root=/path_to_my_ftp_directory/ftp
>>>>
>>>>
>>>>
>>>>
>>>>> I checked and PAM is linked in using 'libpam.so.0', but I
>>>>> would think that as an anonymous user, PAM would not be
>>>>> the problem since there should not be any authentication
>>>>> going on.
>>>>
>>>>
>>>>
>>>>
>>>>> On the vsftpd sight it mentions installing a vsftpd file
>>>>> in pam.d. I checked the /etc/pam.d directory and the vsftpd
>>>>> file from the original installation is there. I can only
>>>>> guess that this file is ok, but I don't know.
>>>>
>>>>
>>>>
>>>> Why don't you post it?
>>>
>>>
>>> Here it is:
>>>
>>> ------------------ pam.d/vsftpd file starts here ---------------
>>>
>>> # Standard behaviour for ftpd(8).
>>> auth required pam_listfile.so item=user sense=deny
>>> file=/etc/ftpusers onerr=succeed

By the way, I do hope those were all on one line.


>>>
>>> # Note: vsftpd handles anonymous logins on its own. Do not enable
>>> # pam_ftp.so.
>>>
>>> # Standard blurb.
>>> @include common-account
>>> @include common-session
>>>
>>> @include common-auth
>>> auth required pam_shells.so
>>>
>>> ------------------ pam.d/vsftpd file ends here ---------------
>>>
>>>
>> OK, this means that any users listed in /etc/ftpusers will NOT be allowed
>> to ftp in. Do you have common-account, common-session common-auth files in
>> your /etc/pam.d directory?
>> It is not clear why shells should be there ar all. You should not be
>> allowing the running of commands anyway from ftp.
>
> The /etc/ftpusers file contains:
>
> root
> daemon
> bin
> sys
> sync
> games
> man
> lp
> mail
> news
> uucp
> nobody
> --------- end of ftpusers file ------
>
> The 3 other files all exist and they follow also:
>
> ------------- start common-account ---------
>
> #
> # /etc/pam.d/common-account - authorization settings common to all services
> #
> # This file is included from other service-specific PAM config files,
> # and should contain a list of the authorization modules that define
> # the central access policy for use on the system. The default is to
> # only deny service to users whose accounts are expired in /etc/shadow.
> #
> account required pam_unix.so
> ------------- end common-account ---------
>
> ------------- start common-session ---------
>
>
> # /etc/pam.d/common-session - session-related modules common to all services
> #
> # This file is included from other service-specific PAM config files,
> # and should contain a list of modules that define tasks to be performed
> # at the start and end of sessions of *any* kind (both interactive and
> # non-interactive). The default is pam_unix.
> #
> session required pam_unix.so
>
> ------------ end common-session ----------
>
> ------------- start common-auth ---------
> #
> # /etc/pam.d/common-auth - authentication settings common to all services
> #
> # This file is included from other service-specific PAM config files,
> # and should contain a list of the authentication modules that define
> # the central authentication scheme for use on the system
> # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
> # traditional Unix authentication mechanisms.
> #
> auth required pam_unix.so nullok_secure
>
> ------------- end common-auth ---------
>

Well, they all do almost the same thing, so it is not clear having all
three servers any purpose.


>
>
>
>
>
>
>
>>
>>>>
>>>>
>>>>
>>>>> I checked the /etc/shells directory and the login shell used
>>>>> by the local user id that I'm using for ftp is in the file.
>>>>
>>>>
>>>>
>>>>
>>>>> PROBLEM 1 - As 'anonymous', when I try to 'put' to the server, I
>>>>> get the following error message:
>>>>
>>>>
>>>>
>>>>>> ftp> passive
>>>>>> Passive mode on.
>>>>
>>>>
>>>>
>>>> Why passive mode?
>>>
>>>
>>> When I first tried to use ftp from my client to 'get' a file
>>> anonymously, it would not transfer and it said I should use passive mode.
>>> I tried passive mode and it worked.
>>>
>>> It seems to me a program smart enough to recommend switching to passive
>>> mode would have automatically switched. Strange.
>>
>>
>> No. You might want it to behave that way.
>
> Yes, possibly.
>
>>
>>>
>>>>
>>>>
>>>>>> ftp> put t.txt
>>>>>> local: t.txt remote: t.txt
>>>>>> 227 Entering Passive Mode (192,168,1,109,206,149)
>>>>>> 550 Permission denied.
>>>>
>>>>
>>>>
>>>>> PROBLEM 2: When I try to use an ftp client to access my
>>>>> ftp server as a local user, I get the following error:
>>>>
>>>>
>>>>
>>>>>> ftp 192.168.1.109
>>>>>> Connected to 192.168.1.109.
>>>>>> 220 (vsFTPd 2.0.3)
>>>>>> Name (192.168.1.109:jja): jja
>>>>>> 530 This FTP server is anonymous only.
>>>>>> Login failed.
>>>>
>>>>
>>>>
>>>> Yes, you have only set it up for annonymous. What do you think pam
>>>> authentication is used for?
>>>
>>>
>>> I think PAM authentication is linked in so that ftp will use the
>>> sites choosen authentication methocology. For example, if I'm using
>>> kerberos for authentication and PAM is linked into ftp, then when
>>> a user performs an ftp logon, ftp will route the authentication
>>> through kerberos. I'm just using standard passwd file authentication,
>>> so I don't think I'm getting any benefit from PAM.
>>
>>
>> pam is what is telling your system how to authenticate, whichusers are
>> allowed to ftp in, which shells, etc.
>>
>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> Does anyone have any suggestions on solving these two problems?
>>>>
>>>>
>>>>
>>>> Anyway, you have to have an ftp user defined in /etc/passwd, with home
>>>> directory being the ftp home.
>>>>
>>>> That is the top directoy. It should be owned by ftp, and should NOT be
>>>> writeable by ftp.
>>>
>>>
>>> If the directory is not writable by 'ftp', how do files get written
>>> into the directory? Does the ftp daemon run with an effective id of root?
>>
>>
>> They do not and should not. Nothing should be able to write into the top
>> directory. Allow them to write into some specific subdirectory.
>
>
> Duh! Sometimes the obvious stares us in the face.
>
>>
>>
>>>
>>>> Then I have three directories.
>>>> bin, outgoing and incoming. All are owned by ftp. One is bin, which
>>>> contains a statically linked version of ls, One is incoming which has
>>>> permissions -wxr-sr-x
>>>> which allows anonymous users to write to that file, but not to read it.
>>>> One is outgoing, which has persmissions r-xr-xrwx
>>>> which allows anonymous users to read it, but not write to it. This makes
>>>> sure that it will not be used as a repository for people to
>>>> trade stuff on.
>>>> If you do not mind, then have one directory, say pub, which is owned by
>>>> ftp, and has rwxrwxrwx permissions.
>>>>
>>>> Also why do you have chroot. Remember that a chroot cannot see outside
>>>> the
>>>> jail NOTHING on the rest of your computer is accessible. Not pam, not
>>>> /etc/passwd, not /etc/shadow, nothing. So I suspect that you ahve no way
>>>> of
>>>> authenticating users whom you are chrooting. IF you want people kept in
>>>> the
>>>> ftp directory, only allow annonymous. The whole reason for allowing
>>>> people
>>>> to ftp in as users is to give them access to the computer.
>>>> If they are all treated as if they were an annonymous user, then there is
>>>> no point.
>>>
>>>
>>> I don't think I have chroot enabled. The
>>> 'secure_chroot_dir=/var/run/vsftpd' statement
>>> is the default setting from the /etc/vsftpd.conf
>>> file on my syste. From what I have read, this defines the
>>> 'jail' directory should chroot be used. At this time, I'm
>>> not using chroot, so I don't need this statement.
>>>
>>>
>>>
>>>
>>>
>>>
>>> Thank you for you comments. I learned a lot from your description of the
>>> directories and their permissions.
>>>
>>> Regards,
>>> Jim Anderson
>>>
>>
>

--
William G. Unruh | Canadian Institute for| Tel: +1(604)822-3273
Physics&Astronomy | Advanced Research | Fax: +1(604)822-5324
UBC, Vancouver,BC | Program in Cosmology | (E-Mail Removed)
Canada V6T 1Z1 | and Gravity | www.theory.physics.ubc.ca/