Date: Sat, 10 Mar 2001 14:00:17 -0500 From: "Dennis Jun" <dennisjun@home.com> To: <freebsd-questions@freebsd.org> Subject: proftpd, user/group, ipfw uid/gid Message-ID: <001901c0a994$58a8b800$0300a8c0@wilma>
next in thread | raw e-mail | index | archive | help
Hello all! I'm having some trouble getting proftpd to run child processes something other than root. Actually, it sort of does but I'm not sure. I'm running proftpd 1.2.1 on FreeBSD 4.2-STABLE. When I do do a ps and a sockstat, it appears proftpd has switched to the correct user: <sunnie> ~$ ps auxw | grep proftp nobody 239 0.0 1.8 1320 524 ?? Is 16Jan94 1:50.82 proftpd: proftpd (accepting connections) (proftpd) ftp 4169 0.0 3.3 1360 980 ?? I 1:31PM 0:00.21 proftpd: proftpd: ftp - 192.168.0.3: anonymous: IDLE (proftpd) <sunnie> ~$ sockstat -4 | grep proftp ftp proftpd 4169 0 tcp4 192.168.0.1.21 192.168.0.3.2350 ftp proftpd 4169 1 tcp4 192.168.0.1.21 192.168.0.3.2350 nobody proftpd 239 0 tcp4 *.21 *.* However, when I do a top, under "USERNAME" it is root: 239 root 2 0 1320K 524K select 1:51 0.00% 0.00% proftpd 4169 root 2 0 1360K 980K select 0:00 0.00% 0.00% proftpd My problem is, when I try to use FreeBSD's firewall (ipfw) user id (UID) based filtering, it recognises the owner of the processes as root and not as ftp. Can anyone shed some light or provide an alternative solution? Furthermore, I've tried changing the user/group directives in proftpd.conf to root/wheel from nobody/nogroup, but I get the exact same result. I have thought about running it from the ftp account, however I'd to use port 21 and have access to the shadow passwords. Here's the pam.conf if it helps: <sunnie> ~$ cat /etc/pam.conf | grep ftp ftp auth required pam_unix.so try_first_pass ftp account required pam_unix.so try_first_pass BTW, ftp is obviously an anonymous account. I have included my proftpd.conf file as well: <sunnie> ~$ cat /usr/local/etc/proftpd.conf # # To have more informations about Proftpd configuration # look at : http://www.proftpd.org/ # # This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server # and a single anonymous login. It assumes that you have a user/group # "nobody" and "ftp" for normal operation and anon. ServerName "Cappy's Personal FTP Server" ServerType standalone DefaultServer on ServerIdent off # RateReadBPS 30000 UseReverseDNS off # Port 21 is the standard FTP port. Port 21 # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 60 # Set the user and group that the server normally runs at. User nobody Group nogroup # Normally, we want files to be overwriteable. <Directory /*> AllowOverwrite on </Directory> <Limit LOGIN> DenyAll </Limit> ######################################################################### # # # Uncomment lines with only one # to allow basic anonymous access # # # ######################################################################### ### A basic anonymous configuration, no upload directories. <Anonymous ~ftp> <Limit LOGIN> AllowAll </Limit> User ftp Group operator ### We want clients to be able to login with "anonymous" as well as "ftp" UserAlias friends ftp AllowForeignAddress on AnonRequirePassword on ### Limit the maximum number of anonymous logins MaxClients 30 MaxClientsPerHost 5 ### It is wise when making an 'ftp' user that you either block its ### ability to login either via /etc/login.access or my giving it ### an invalid shell. ### Uncomment this if the 'ftp' user you made has an invalid shell RequireValidShell off ### We want 'welcome.msg' displayed at login, and '.message' displayed ### in each newly chdired directory. DisplayLogin welcome.msg # DisplayFirstChdir .message ### Limit WRITE everywhere in the anonymous chroot <Limit WRITE> DenyAll </Limit> <Directory incoming> <Limit STOR MKD> AllowAll </Limit> </Directory> <Directory private> HideNoAccess </Directory> </Anonymous> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001901c0a994$58a8b800$0300a8c0>