vsftpd and symlinks to directory
Hi, how to enable anonymous users to change directory into a symlinks? My anonymous user's ftp root is /usr/local/ftp. I create a symlink to another directory, say "source". But when I tried using the anonymous users to cd to "source", I got message "Fail to change directory". Any helps are appreciated. Regards, Verdi
Need to clarify, that the symlink 'source' is created under /usr/local/ftp. On Monday 30 September 2002 18:45, Verdi March wrote:
Hi,
how to enable anonymous users to change directory into a symlinks? My anonymous user's ftp root is /usr/local/ftp. I create a symlink to another directory, say "source". But when I tried using the anonymous users to cd to "source", I got message "Fail to change directory".
Any helps are appreciated.
Regards, Verdi
On Mon, 2002-09-30 at 07:03, Verdi March wrote:
Need to clarify, that the symlink 'source' is created under /usr/local/ftp.
On Monday 30 September 2002 18:45, Verdi March wrote:
Hi,
how to enable anonymous users to change directory into a symlinks? My anonymous user's ftp root is /usr/local/ftp. I create a symlink to another directory, say "source". But when I tried using the anonymous users to cd to "source", I got message "Fail to change directory".
Any helps are appreciated.
My understanding of vsftpd is that it creates a chroot environment for anonymous users. This may be preventing your users from changing outside the /usr/local/ftp directory. This is a very good security design. If the size of your "source" directory is not too large, you could just copy it into /usr/local/ftp. Best Regards, Keith -- LPIC-2, MCSE, N+ Sing blue silver Got spam? Get spastic http://spastic.sourceforge.net
Hi, thanks. Unfortunately it's quite large. In fact, it's another partition. Regards, Verdi On Monday 30 September 2002 20:52, Keith Winston wrote:
On Mon, 2002-09-30 at 07:03, Verdi March wrote:
Need to clarify, that the symlink 'source' is created under /usr/local/ftp.
On Monday 30 September 2002 18:45, Verdi March wrote:
Hi,
how to enable anonymous users to change directory into a symlinks? My anonymous user's ftp root is /usr/local/ftp. I create a symlink to another directory, say "source". But when I tried using the anonymous users to cd to "source", I got message "Fail to change directory".
Any helps are appreciated.
My understanding of vsftpd is that it creates a chroot environment for anonymous users. This may be preventing your users from changing outside the /usr/local/ftp directory. This is a very good security design.
If the size of your "source" directory is not too large, you could just copy it into /usr/local/ftp.
Best Regards, Keith -- LPIC-2, MCSE, N+ Sing blue silver Got spam? Get spastic http://spastic.sourceforge.net
On Mon, 2002-09-30 at 22:02, Verdi March wrote:
Hi, thanks. Unfortunately it's quite large. In fact, it's another partition.
Did you verify the permissions on the target of your symlink, that the anonymous user will be able to read it? This is just a guess. Best Regards, Keith -- LPIC-2, MCSE, N+ Sing blue silver Got spam? Get spastic http://spastic.sourceforge.net
Hi, Yes. The target of my symlink is a fat32 partition. The permissions I set upon mount is root:users, writtable by all under group "users". My anonymous user is "ftp", under group "daemon,users". I just verified this with a non-anonymous user. I created a symlink in this non-anonymous' home directory to the fat32 partition. On the shell, I can access this fat32 partition (read, write). Through ftp, I cannot change into this directory. Regards, Verdi On Tuesday 01 October 2002 13:37, Keith Winston wrote:
On Mon, 2002-09-30 at 22:02, Verdi March wrote:
Hi, thanks. Unfortunately it's quite large. In fact, it's another partition.
Did you verify the permissions on the target of your symlink, that the anonymous user will be able to read it? This is just a guess.
Best Regards, Keith -- LPIC-2, MCSE, N+ Sing blue silver Got spam? Get spastic http://spastic.sourceforge.net
On Tue, Oct 01, 2002 at 01:57:18PM +0800, Verdi March wrote:
Hi,
Yes. The target of my symlink is a fat32 partition. The permissions I set upon mount is root:users, writtable by all under group "users". My anonymous user is "ftp", under group "daemon,users".
I just verified this with a non-anonymous user. I created a symlink in this non-anonymous' home directory to the fat32 partition. On the shell, I can access this fat32 partition (read, write). Through ftp, I cannot change into this directory.
Completely unresearched thoughts: IINM the above is by design (?) It would make some kind of sense (to me anyway) that ftp dissallows following symlinks... How about maybe chroot'ing your anonymous user to the partition? HTH Jon Clausen
Hm, Your scenario work if anonymous couldn't upload. By default the root of anonymous is "/windows/d". The anonymous user's - "ftp" - home directory is "/windows/d/sources". Your suggested scenario work if the user ftp can only 'read' into "/windows/d". But if I tried to make user "ftp" has 'write' access -- by making user "ftp" part of group "users" -- the anonymous login will not work. ===== 500 OOPS: vsftpd: refusing to run with writable anonymous root ftp: Login failed. ===== No wonder this thing is called 'very secure' ftpd. Regards, Verdi On Tuesday 01 October 2002 16:03, Jon Clausen wrote:
On Tue, Oct 01, 2002 at 01:57:18PM +0800, Verdi March wrote:
Hi,
Yes. The target of my symlink is a fat32 partition. The permissions I set upon mount is root:users, writtable by all under group "users". My anonymous user is "ftp", under group "daemon,users".
I just verified this with a non-anonymous user. I created a symlink in this non-anonymous' home directory to the fat32 partition. On the shell, I can access this fat32 partition (read, write). Through ftp, I cannot change into this directory.
Completely unresearched thoughts:
IINM the above is by design (?) It would make some kind of sense (to me anyway) that ftp dissallows following symlinks...
How about maybe chroot'ing your anonymous user to the partition?
HTH
Jon Clausen
On Tuesday 01 October 2002 10.57, Verdi March wrote:
Hm,
Your scenario work if anonymous couldn't upload.
By default the root of anonymous is "/windows/d". The anonymous user's - "ftp" - home directory is "/windows/d/sources". Your suggested scenario work if the user ftp can only 'read' into "/windows/d".
But if I tried to make user "ftp" has 'write' access -- by making user "ftp" part of group "users" -- the anonymous login will not work. ===== 500 OOPS: vsftpd: refusing to run with writable anonymous root ftp: Login failed. =====
No wonder this thing is called 'very secure' ftpd.
Is it necessary for you to have the windows partition mounted on /windows/d? If it isn't, you could create a directory under /usr/local/ftp and mount it there. That way the root (usr/local/ftp) isn't writable, but your windows dir is //Anders
Hi Anders, nice trick. Thanks. Regards, Verdi On Tuesday 01 October 2002 17:04, Anders Johansson wrote:
On Tuesday 01 October 2002 10.57, Verdi March wrote:
Hm,
Your scenario work if anonymous couldn't upload.
By default the root of anonymous is "/windows/d". The anonymous user's - "ftp" - home directory is "/windows/d/sources". Your suggested scenario work if the user ftp can only 'read' into "/windows/d".
But if I tried to make user "ftp" has 'write' access -- by making user "ftp" part of group "users" -- the anonymous login will not work. ===== 500 OOPS: vsftpd: refusing to run with writable anonymous root ftp: Login failed. =====
No wonder this thing is called 'very secure' ftpd.
Is it necessary for you to have the windows partition mounted on /windows/d? If it isn't, you could create a directory under /usr/local/ftp and mount it there. That way the root (usr/local/ftp) isn't writable, but your windows dir is
//Anders
On Tue, 2002-10-01 at 06:15, Verdi March wrote:
Hi Anders,
nice trick. Thanks.
Regards, Verdi
Anders has lots of good ideas. I wish I had thought of that one. Did it work? Best Regards, Keith -- LPIC-2, MCSE, N+ Sing blue silver Got spam? Get spastic http://spastic.sourceforge.net
On Tuesday 01 October 2002 18:34, Keith Winston wrote:
On Tue, 2002-10-01 at 06:15, Verdi March wrote:
Hi Anders,
nice trick. Thanks.
Regards, Verdi
Anders has lots of good ideas. I wish I had thought of that one.
Did it work?
Ha, you need to ask ;) ? Sure it works. Regards, Verdi
Best Regards, Keith -- LPIC-2, MCSE, N+ Sing blue silver Got spam? Get spastic http://spastic.sourceforge.net
On Tue, Oct 01, 2002 at 06:44:31PM +0800, Verdi March wrote:
On Tuesday 01 October 2002 18:34, Keith Winston wrote:
On Tue, 2002-10-01 at 06:15, Verdi March wrote:
Hi Anders,
nice trick. Thanks.
Regards, Verdi
Anders has lots of good ideas. I wish I had thought of that one.
Did it work?
Ha, you need to ask ;) ? Sure it works.
Nifty !-) Jon
participants (4)
-
Anders Johansson -
Jon Clausen -
Keith Winston -
Verdi March