Author Topic: Proftpd-mysql access problem  (Read 204 times)

Offline Timoté Brusson

  • New user
  • *
  • Posts: 3
    • View Profile
    • gtxserv.fr
Proftpd-mysql access problem
« on: July 18, 2017, 03:49:48 pm »
HI,

after many search I encounter some problems with proftpd with Mysql module.
- My server is on Centos 7 with SELINUX in permissive mode.
- My users are managed with mysql database
- My Unix user for proftpd is ftpuser (UID 2001)
- My Unix group for proftpd is ftpgroup (GUID 2001)
- The root path of FTP server is /srv/ftp (the user ftpuser:ftpgroup got chmod 775 on this folder.

When I upload files on my server with filezilla it works and creating directory works too.
The files have the following rights :

Code: [Select]
[root@vm-ftp1 timote]# ls -lah --color
total 584K
drwx------.    3 ftpuser ftpgroup    40      7 juil. 10:09 .
drwxr-xr-x.   3 ftpuser ftpgroup   20      5 juil. 16:33 ..
-rw-r--r--.      1 ftpuser ftpgroup   582K  7 juil. 10:09 Hydrangeas.jpg
drwxr-xr-x.   2 ftpuser ftpgroup   6        7 juil. 10:09 test

But when I try to download files Proftpd displays an error like this :
Code: [Select]
Answer: 550 Hydrangeas.jpg: No such file or directory
Error: Critical error when transferring file

And when I try to open a directory previously created he shows me this :
Code: [Select]
Command: CWD test
Answer: 550 test: No such file or directory
Error: Unable to retrieve folder contents

When I set proftpd in verbose mode, he shows me errors :
Code: [Select]
dispatching CMD command 'CWD test' to mod_core
dispatching POST_CMD_ERR command 'CWD test' to mod_sql
dispatching LOG_CMD_ERR command 'CWD test' to mod_sql
dispatching LOG_CMD_ERR command 'CWD test' to mod_log

I obviously tested to put all the files in chmod 777 and set umask of proftpd to 000 but nothing does!

He is my version of proftpd with modules :

Code: [Select]
ProFTPD Version: 1.3.5e (maint)
Scoreboard Version: 01040003
Built: Wed May 3 2017 14:58:47 UTC

Loaded modules:
 mod_quotatab_sql.c
 mod_quotatab/1.3.1
 mod_sql_mysql/4.0.8
 mod_sql/4.3
 mod_vroot/0.9.2
 mod_ctrls_admin/0.9.7
 mod_lang/1.0
 mod_ctrls/0.9.5
 mod_cap/1.1
 mod_memcache/0.1
 mod_tls/2.6
 mod_auth_pam/1.2
 mod_readme/1.0
 mod_ident/1.0
 mod_dso/0.5
 mod_facts/0.4
 mod_delay/0.7
 mod_site.c
 mod_log.c
 mod_ls.c
 mod_auth.c
 mod_auth_file/1.0
 mod_auth_unix.c
 mod_rlimit/1.0
 mod_xfer.c
 mod_core.c

And here is my conf file :

Code: [Select]
# This is the ProFTPD configuration file

# Global Config
# ======================

SyslogLevel DEBUG

ServerName "FTP"
ServerIdent on "FTP Server ready."
ServerAdmin root@localhost
DefaultServer on

# Cause every FTP user except adm to be chrooted into their home directory
DefaultRoot ~ !adm

# Don't do reverse DNS lookups (hangs on DNS problems)
UseReverseDNS off

# Set the user and group that the server runs as
User ftpuser
Group ftpgroup

# File Screening
# ======================

PathDenyFilter "(\\.ftpaccess|\\.ecc|\\.ezz|\\.exx|\\.zzz|\\.xyz|\\.aaa|\\.abc|\\.ccc|\\.vvv|\\.xxx|\\.ttt|\\.micro|\\.encrypted|\\.locked|\\.crypto|_crypt|\\.crinf|\\.r5a|\\.XRNT|\\.XTBL|\\.crypt|\\.R16M01D05|\\.pzdc|\\.good|\\.LOL!|\\.OMG!|\\.RDM|\\.RRK|\\.encryptedRSA|\\.crjoker|\\.EnCiPhErEd|\\.LeChiffre|\\.keybtc@inbox_com|\\.0x0|\\.bleep|\\.1999|\\.vault|\\.HA3|\\.toxcrypt|\\.magic|\\.SUPERCRYPT|\\.CTBL|\\.CTB2|\\.locky|\\.exe|\\.js|\\.bat|\\.batch)$"

# Protection DDos
# ======================

MaxInstances 20
UseSendfile off

# Define the log formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"


# Chargement des modules
# ======================

LoadModule mod_ctrls_admin.c
LoadModule mod_vroot.c
LoadModule mod_auth.c
LoadModule mod_sql.c
LoadModule mod_sql_mysql.c
LoadModule mod_quotatab.c
LoadModule mod_quotatab_sql.c

<IfModule mod_cap.c>
    CapabilitiesEngine off
</IfModule>

ModuleControlsACLs insmod,rmmod allow user root
ModuleControlsACLs lsmod allow user *

ControlsEngine on
ControlsACLs all allow user root
ControlsSocketACL allow user *
ControlsLog /var/log/proftpd/controls.log

<IfModule mod_ctrls_admin.c>
  AdminControlsEngine on
  AdminControlsACLs all allow user root
</IfModule>

<IfModule mod_vroot.c>
  VRootEngine on
</IfModule>

<IfDefine TLS>
  TLSEngine on
  TLSRequired on
  TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
  TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
  TLSCipherSuite ALL:!ADH:!DES
  TLSOptions NoCertRequest
  TLSVerifyClient off
  #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
  TLSLog /var/log/proftpd/tls.log
  <IfModule mod_tls_shmcache.c>
    TLSSessionCache shm:/file=/var/run/proftpd/sesscache
  </IfModule>
</IfDefine>

<IfDefine DYNAMIC_BAN_LISTS>
  LoadModule mod_ban.c
  BanEngine on
  BanLog /var/log/proftpd/ban.log
  BanTable /var/run/proftpd/ban.tab

  # If the same client reaches the MaxLoginAttempts limit 2 times
  # within 10 minutes, automatically add a ban for that client that
  # will expire after one hour.
  BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00

  # Inform the user that it's not worth persisting
  BanMessage "Host %a has been banned"

  # Allow the FTP admin to manually add/remove bans
  BanControlsACLs all allow user ftpadm
</IfDefine>

# Set networking-specific "Quality of Service" (QoS) bits on the packets used
# by the server (contrib/mod_qos.html)
<IfDefine QOS>
  LoadModule mod_qos.c
  # RFC791 TOS parameter compatibility
  QoSOptions dataqos throughput ctrlqos lowdelay
  # For a DSCP environment (may require tweaking)
  #QoSOptions dataqos CS2 ctrlqos AF41
</IfDefine>


# The passwords in MySQL are encrypted using CRYPT
SQLAuthTypes            Plaintext Crypt
SQLAuthenticate         users groups
SQLConnectInfo  ftp@localhost proftpd password
SQLUserInfo     ftpuser userid passwd uid gid homedir shell
SQLGroupInfo    ftpgroup groupname gid members
SQLMinID        500

CreateHome on

SQLLog PASS updatecount
SQLNamedQuery updatecount UPDATE "count=count+1, accessed=now() WHERE userid='%u'" ftpuser

SQLLog  STOR,DELE modified
SQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuser

QuotaEngine on
QuotaDirectoryTally on
QuotaDisplayUnits Mb
QuotaShowQuotas on

SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ftpquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" ftpquotatallies
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies

QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally
RootLogin off
RequireValidShell off

# ANONYMOUS
# ==================================

<Anonymous /srv/ftp/anonymous/>
  User ftpuser
  Group ftpgroup

  UserAlias anonymous ftpuser

    <Limit ALL>
      DenyAll
    </Limit>

    <Limit CDUP, CWD, LIST, MDTM, MLSD, MLST, NLST, PWD, RNFR, STAT, XCUP, XCWD, XPWD>
      AllowAll
    </Limit>

    <Limit STOR STOU>
       AllowAll
    </Limit>
</Anonymous>

# GLOBAL
# =================================
<Global>
  User ftpuser
  Group ftpgroup
  Umask 022
  AllowOverwrite on
  User ftpuser
  Group ftpgroup

    <Limit ALL>
      AllowAll
    </Limit>

</Global>

Thanks by advance
« Last Edit: July 20, 2017, 07:33:24 am by Timoté Brusson »

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5373
    • View Profile
    • http://www.castaglia.org/
Re: Proftpd-mysql access problem
« Reply #1 on: July 18, 2017, 04:01:08 pm »
What does `ls -aln /srv/ftp` show?  (The -n shows the numeric user/group IDs, rather than the names.)  What UID/GID are configured for your user "ftpuser" in your SQL table?

Offline Timoté Brusson

  • New user
  • *
  • Posts: 3
    • View Profile
    • gtxserv.fr
Re: Proftpd-mysql access problem
« Reply #2 on: July 19, 2017, 07:18:16 am »
Hi,
Code: [Select]
[root@vm-ftp1 ~]# ls -aln /srv/ftp
total 0
drwxrwxr-x+ 7 2001 2001 71  7 juil. 16:55 .
drwxr-xr-x. 4    0    0 28  5 juil. 12:12 ..
drwxrwxr-x+ 3 2001 2001 29  7 juil. 16:01 anonymous
drwx------  2 2001 2001  6  7 juil. 15:23 timote

Here is the line in my table ftpgroup for my user :


« Last Edit: July 20, 2017, 07:48:40 am by Timoté Brusson »

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5373
    • View Profile
    • http://www.castaglia.org/
Re: Proftpd-mysql access problem
« Reply #3 on: July 19, 2017, 09:54:55 pm »
Thanks!  Could you also provide the output of the following commands:

* `getfacl /srv/ftp`
* `getfacl /srv/ftp/timote` (assuming this is the "test" directory?)

Offline Timoté Brusson

  • New user
  • *
  • Posts: 3
    • View Profile
    • gtxserv.fr
Re: Proftpd-mysql access problem
« Reply #4 on: July 20, 2017, 07:29:59 am »
Hi,
Code: [Select]
[root@vm-ftp1 ~]# getfacl /srv/ftp
getfacl: delete the first "/" of absolute path names
# file: srv/ftp
# owner: ftpuser
# group: ftpgroup
user::rwx
user:996:rwx
user:si:rwx
group::r-x
mask::rwx
other::r-x

Code: [Select]
[root@vm-ftp1 ~]# getfacl /srv/ftp/timote
getfacl: delete the first "/" of absolute path names
# file: srv/ftp/timote
# owner: ftpuser
# group: ftpgroup
user::rwx
group::---
other::---

The following ACL has been configured :

Code: [Select]
[root@vm-ftp1 ~]# setfacl -Rm user:si:rwx /srv/ftp
I forgot to say that this configuration works perfectly under debian but I must use centos for this time.
« Last Edit: July 20, 2017, 07:37:17 am by Timoté Brusson »

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5373
    • View Profile
    • http://www.castaglia.org/
Re: Proftpd-mysql access problem
« Reply #5 on: July 30, 2017, 06:28:41 pm »
Hmm.  If it works on Debian, and not under Centos, it's suggestive that the issue lies in the differences in those platforms, rather than ProFTPD.

You mention having SELinux in permissive mode; is it possible to disable the SELinux stuff entirely, for testing?

 

sighted planning