ProFTPd question

I have ProFTPd setup and it's working great, but I'm wondering if there's a way to change something.

When I login with my username/password, I'm taken to my personal folder for Linux. (/home/myusername/) If I go "up one level" in my FTP client, I see my folder and another folder that I have shared. No problem there, since this is what I expected to see. When I go "up one level" again, I see everything on the server! Not good. I shouldn't be able to see all of this stuff.

Any idea how I can limit my login (and other logins) to the /home/ directory? Here is a copy of my proftpd.conf file. I have removed the commented stuff for clarity.

Also, here is the file AuthUserFile that controls the login names and passwords.

####################

myusername:myEncryptedPassword:99:99:myusername virt domain owner:/home/SharedDocuments:/sbin/nologin

####################
ServerName "FTP Server"
ServerType standalone
DefaultServer on
RequireValidShell off
TimeoutStalled 1000
Port 21
Umask 022
MaxInstances 30
User nobody
Group nobody

<Directory /*>
AllowOverwrite on
</Directory>

AuthUserFile /etc/proftpd/proftpd.passwd
AuthGroupFile /etc/proftpd/proftpd.group

DefaultRoot ~
DirFakeUser on ~
DirFakeGroup on ~

<Anonymous ~ftp>
User ftp
Group ftp
UserAlias anonymous ftp
MaxClients 10
DisplayLogin welcome.msg
DisplayFirstChdir .message
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>

Hmmm, I'm confused. It says...

"The most common configuration requested is to restrict users to their home directories, which can be done simply by adding the following line to your proftpd.conf: DefaultRoot ~"

I've got that showing in my config file. Have I missed something?

Stupid question, but have you restarted ProFTPD after you made the changes?

Yep. Just did and I can get to the top level. There must be something I'm missing.

Did you notice I'm authenticating users with an external file? This is a new thing for me so I'm not sure 100% that I'm doing it right. Any info on that?

Ok, I have decided to remove the external authentication lines (AuthUserFile and AuthGroupFile) and use the Linux usernames and passwords to authenticate.

Now that I have done this, I still cannot jail my users to their home directories. I have each of my users in a group called "MyUsers" and their home directories are located under /home/. Those directories are given ownership to the username and the File Group parameter has been set for MyUsers. I'm not sure if the File Group should be set for MyUsers, but so far, so good, because now when the user logs in using their username and password, they are taken to their home directory and they can read and write to their home directory. However, when they change directories to go up one level, the are still able to go all the way up to the top level.

This is really stumping me because I'm using the DefaultRoot parameter in the config file. This should effectively jail the user to their home directory, but it's not working.

Also, I want to remove Anonymous logins. I have read the documentation on this, and it says to simply remove the <anonymous> declarations from the config file. I have done this, but I can still login anonymously and I see the"pub" directory. Any ideas why?

I have been messing with Proftpd for about 4 months - off and on - because I have the same problem. The docs clearly state that you should use "DefaultRoot ~", within a <Global> directive, to jail users to their home directory. Alternatively, you can use the full path (eg. "DefaultRoot /usr/local/ftp") to chroot the users; on my RedHat 7.3 box this absolutely does nothing. Users can log in to the appropriate home directories and are then able to move thru the entire directory structure. I'm on a users mailing list and I've posted my config file, etc. and no one can tell why it shouldn't work. But I know this: it doesn't. The anonymous FTP was incredibly fast - I have a cable modem and it was serving like a T3 (200 to 300 kb per sec). Wish I could get this to work - did you ever figure out what the problem was...?

Yeah, I'm all good now. Here's what my config file looks like:

ServerName "FTP Server"
ServerType standalone
ServerAdmin me@you.com
DefaultServer on
RequireValidShell off
TimeoutStalled 300
TimeoutNoTransfer 1000
TimeoutIdle 1000
UseReverseDNS off
AllowRetrieveRestart on
ServerIdent Off
DefaultRoot ~
ListOptions -a
DisplayConnect /etc/proftpd/prelogin.msg

Port 21

Umask 022

MaxInstances 15
MaxClientsPerHost 3

User nobody
Group nobody

<Directory />
HideUser root
AllowOverwrite on
HideNoAccess On
<Limit ALL>
AllowAll
</Limit>
<Limit SITE_CHMOD>
AllowAll
</Limit>
</Directory>

Hope this helps!

Really appreciate the speedy reply - you know how maddening this stuff can be - AND I'm a relative Linux newbie. Copied and pasted the config file and the only problem was the "ListOption -a"; when I shut down the program it indicated an unknown there, so I just edited that out. I haven't read the docs enough to know what that is, does, etc. Anyway, added a ficticious user "jerry" (at this point, I was wondering if it was the syntax I was using to create the user ..... anything). On login Proftpd created a directory for Jerry at /home/Jerry and 'ol Jerry can go thru the entire PC - STILL! Argh! Man, I am absolutely lost. I have even just deleted the Proftpd directories and compiled different versions - all to no avail. I've posted the modules, run debug - no one can figure it out. With this config file, on your system, any old user is properly chrooted, correct? I have Apache with virtual servers (7 domains), qmail, squirrelmail, php - the whole enchilada. Never had this much of a problem with anything. I'm running vsftpd on another box at the moment - still determined to get this...... My original install included some commands I found on a page by a "Dr. Chang" - I wonder if there was something in the script that made it go haywire (permissions or something - it included that....). Good lord, I dunno. Thanks very much, by the way

Yeah, you should check and see what version of ProFTPd you're running. I'm running the latest version, so that could be the reason the option isn't working for you. If memory serves, that option has been around since 1.2.8 or so, so you may want to think about upgrading to the latest just to be up to date with the latest features and bug fixes.

>> Anyway, added a ficticious user "jerry"

How did you add the user? With the useradd command? I'm assuming you're authenticating to the /etc/passwd file. So that means the usernames and passwords that people give to their FTP client will correspond to usernames and passwords from your /etc/passwd file. That's how I'm doing it. I know when this post began, I was talking about authenticating to an external file, but I quickly gave up on that idea. I think it's a little too over my head, and I'm fine with authenticating to the /etc/passwd file. Please let me know how you're trying to authenticate, as that will help me understand what's wrong.

>> on login Proftpd created a directory for Jerry at /home/Jerry

I don't think ProFTPd creates any home directories if they do not exist. I think more likely your home directory was created when you added the user using the useradd command. If you're authenticating to the /etc/passwd file, proftpd uses the username and password and tries to chroot the user to the home directory that's listed in the /etc/passwd file. This directory must exist and it must be owned by the user. I think that's the only requirements, but you may want to chmod the directory to 755 if that isn't working.

And yes, all my users are chrooted just fine with this config. This is my production config file, so I know it works.