From owner-freebsd-questions Sat Mar 10 11: 0:27 2001 Delivered-To: freebsd-questions@freebsd.org Received: from femail2.rdc1.on.home.com (femail2.rdc1.on.home.com [24.2.9.89]) by hub.freebsd.org (Postfix) with ESMTP id 20CF137B719 for ; Sat, 10 Mar 2001 11:00:18 -0800 (PST) (envelope-from dennisjun@home.com) Received: from wilma ([24.114.163.66]) by femail2.rdc1.on.home.com (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010310190010.WFHT606.femail2.rdc1.on.home.com@wilma> for ; Sat, 10 Mar 2001 11:00:10 -0800 Message-ID: <001901c0a994$58a8b800$0300a8c0@wilma> From: "Dennis Jun" To: Subject: proftpd, user/group, ipfw uid/gid Date: Sat, 10 Mar 2001 14:00:17 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello all! I'm having some trouble getting proftpd to run child processes something other than root. Actually, it sort of does but I'm not sure. I'm running proftpd 1.2.1 on FreeBSD 4.2-STABLE. When I do do a ps and a sockstat, it appears proftpd has switched to the correct user: ~$ ps auxw | grep proftp nobody 239 0.0 1.8 1320 524 ?? Is 16Jan94 1:50.82 proftpd: proftpd (accepting connections) (proftpd) ftp 4169 0.0 3.3 1360 980 ?? I 1:31PM 0:00.21 proftpd: proftpd: ftp - 192.168.0.3: anonymous: IDLE (proftpd) ~$ sockstat -4 | grep proftp ftp proftpd 4169 0 tcp4 192.168.0.1.21 192.168.0.3.2350 ftp proftpd 4169 1 tcp4 192.168.0.1.21 192.168.0.3.2350 nobody proftpd 239 0 tcp4 *.21 *.* However, when I do a top, under "USERNAME" it is root: 239 root 2 0 1320K 524K select 1:51 0.00% 0.00% proftpd 4169 root 2 0 1360K 980K select 0:00 0.00% 0.00% proftpd My problem is, when I try to use FreeBSD's firewall (ipfw) user id (UID) based filtering, it recognises the owner of the processes as root and not as ftp. Can anyone shed some light or provide an alternative solution? Furthermore, I've tried changing the user/group directives in proftpd.conf to root/wheel from nobody/nogroup, but I get the exact same result. I have thought about running it from the ftp account, however I'd to use port 21 and have access to the shadow passwords. Here's the pam.conf if it helps: ~$ cat /etc/pam.conf | grep ftp ftp auth required pam_unix.so try_first_pass ftp account required pam_unix.so try_first_pass BTW, ftp is obviously an anonymous account. I have included my proftpd.conf file as well: ~$ cat /usr/local/etc/proftpd.conf # # To have more informations about Proftpd configuration # look at : http://www.proftpd.org/ # # This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server # and a single anonymous login. It assumes that you have a user/group # "nobody" and "ftp" for normal operation and anon. ServerName "Cappy's Personal FTP Server" ServerType standalone DefaultServer on ServerIdent off # RateReadBPS 30000 UseReverseDNS off # Port 21 is the standard FTP port. Port 21 # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 60 # Set the user and group that the server normally runs at. User nobody Group nogroup # Normally, we want files to be overwriteable. AllowOverwrite on DenyAll ######################################################################### # # # Uncomment lines with only one # to allow basic anonymous access # # # ######################################################################### ### A basic anonymous configuration, no upload directories. AllowAll User ftp Group operator ### We want clients to be able to login with "anonymous" as well as "ftp" UserAlias friends ftp AllowForeignAddress on AnonRequirePassword on ### Limit the maximum number of anonymous logins MaxClients 30 MaxClientsPerHost 5 ### It is wise when making an 'ftp' user that you either block its ### ability to login either via /etc/login.access or my giving it ### an invalid shell. ### Uncomment this if the 'ftp' user you made has an invalid shell RequireValidShell off ### We want 'welcome.msg' displayed at login, and '.message' displayed ### in each newly chdired directory. DisplayLogin welcome.msg # DisplayFirstChdir .message ### Limit WRITE everywhere in the anonymous chroot DenyAll AllowAll HideNoAccess To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message