Author Topic: mod_vroot prevents log in.  (Read 1930 times)

Offline Mark

  • New user
  • *
  • Posts: 2
    • View Profile
mod_vroot prevents log in.
« on: August 08, 2013, 01:37:33 pm »
Quck breakdown:
Need to detect completed uploads to the server, to HiddenStores is in use.
If an upload fails (e.g. client connection loss) the hidden file is left on the FTP server.
So, ExecCommandBefore from mod_exec to catch any STOR command. If a hidden file for the STOR exists it is deleted.

This all works, with the usual provisio that DefaultRoot is not in use.
I'd like to jail the server and read that by just enabling mod_vroot allows mod_exec to work and be able to use DefaultRoot.

I think I may have some incompatibility in configuration, because if I set VRootEngine on in the .conf file I can't log in to the server,  the client shows a fatal network error "Software caused connection abort".

Entirely likely that I have something basic incorrect, but I don't know what.

Do I need to set up mod_vroot any further to make it work with mod_exec ? is there an example I can follow ?

Log file shows:
Code: [Select]
Aug 08 07:59:03 GIS04138 proftpd[3904] <serverip> (<clientip>[<clientip>]): USER user2: Login successful
Aug 08 07:59:03 mod_sftp/0.9.8[3904]: sending userauth success
Aug 08 07:59:03 mod_sftp/0.9.8[3904]: user 'user2' authenticated via 'password' method
Aug 08 07:59:03 GIS04138 proftpd[3904] <serverip> (<clientip>[<clientip>]): ProFTPD terminating (signal 11)
Aug 08 07:59:03 GIS04138 proftpd[3904] <serverip> (<clientip>[<clientip>]): SSH2 session closed.
Aug 08 08:04:45 GIS04138 proftpd[3899] <serverip>: ProFTPD killed (signal 15)
Aug 08 08:04:45 GIS04138 proftpd[3899] <serverip>: ProFTPD 1.3.4b standalone mode SHUTDOWN

proftpd.conf
Code: [Select]
ServerType standalone
DefaultServer on
Umask 022
ServerName "127.0.0.1"
ServerIdent on "Test sFTP Server"
ServerAdmin admin@local.com
IdentLookups off
UseReverseDNS off
Port 2222
PassivePorts 49152 65534
TimesGMT on
MaxInstances 30
MaxLoginAttempts 3
TimeoutLogin 300
TimeoutNoTransfer 1800
TimeoutIdle 1800
DisplayLogin /usr/local/etc/welcome.msg
DisplayChdir .message
User nobody
Group nobody
DirFakeUser off nobody
DirFakeGroup off nobody
DefaultTransferMode binary
AllowForeignAddress off
AllowRetrieveRestart on
AllowStoreRestart on
DeleteAbortedStores on
TransferRate RETR 220
TransferRate STOR 250
TransferRate STOU 250
TransferRate APPE 250
SystemLog /var/log/proftpd/sftp.log
RequireValidShell off
PidFile /usr/local/var/sftp/proftpd.pid
ScoreboardFile /usr/local/var/sftp/proftpd.scoreboard
LogFormat NEWFORMAT "%h %l %u %t \"%r\" %s %b %f %P %T"
ExtendedLog /home/user2/proftpd-1.3.4b/sftp/extlogfifo ALL NEWFORMAT
#DefaultRoot /home/%u
HiddenStores on

<Directory ~/*>
AllowOverwrite on
HiddenStores on
</Directory>

<IfModule mod_sftp.c>
WrapEngine on
WrapTables file:/home/user2/proftpd-1.3.4b/sftp/ftpd.allow file:///home/user2/proftpd-1.3.4b/sftp/ftpd.deny
WrapOptions CheckOnConnect
SFTPEngine on
SFTPLog /var/log/proftpd/sftp.log
SFTPHostKey /etc/ssh/ssh_host_dsa_key
SFTPHostKey /etc/ssh/ssh_host_rsa_key
#SFTPAuthorizedUserKeys file:~/.sftp/authorized_keys
SFTPCompression on
MaxLoginAttempts 6
SFTPClientMatch .* channelWindowSize 1GB
SFTPDisplayBanner /home/user2/proftpd-1.3.4b/sftp/welcome.msg
</IfModule>

<IfModule mod_exec.c>
ExecEngine on
ExecLog /var/log/proftpd/exec.log
ExecBeforeCommand STOR /home/user2/script_test/delfile.sh %f
</IfModule>

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5253
    • View Profile
    • http://www.castaglia.org/
Re: mod_vroot prevents log in.
« Reply #1 on: August 09, 2013, 10:50:07 pm »
Hmm.  I'm not able to duplicate this crash locally, at least running the latest proftpd code and latest mod_vroot (from GitHub).  Could you provide proftpd debug logging (debug level 10), for a full connection?  And the full SFTPLog?

Offline Mark

  • New user
  • *
  • Posts: 2
    • View Profile
Re: mod_vroot prevents log in.
« Reply #2 on: August 12, 2013, 08:27:10 am »
I've come back to it this morning and can't replicate it either. Strange.
I'll do some more testing and see if I can break it, either way exec & vroot seem to be playing nicely so far.

 

sighted planning