Mailinglist Archive: opensuse-de (7975 mails)

< Previous Next >
Warum kann mit Proftp der Anonymous Dateien in etc lesen?
Hallo

Ich bin am umstellen von WU.ftp auf ProFTP. Und irgendwie hab ich da
noch ein Problem. Ich will und muss Anonymous-Zugang haben.

Das kriege ich hin, wobei ich auch da froh um jeden Verbesserungstipp
bin. Mein momentanes Hauptproblem liegt darin. Wenn ich mich als
Anonmous einlogge und in das Verzeichnis etc wechsle, kann ich dort die
beiden Dateien passwd und group lesen und das will ich nicht.

Aber ich habe keinen blassen Schimmer, warum das bei mir geht.
Zudem würde ich gerne den Anonymous direkt ins pub verfrachten.

Habe gleich mal meine schon etwas verbastelte proftpd.conf
angehängt.Damits bisschen kürzer wird, habe ich hier einige Kommentare
gelöscht.

Bin wirklich sehr dankbar, um ein paar Tipps.

Gruss
Fabian

---schnipp --- schnapp

ServerName "ftp.server.com"
ServerType standalone
ServerAdmin ftpadm@xxxxxxxxxx

#ServerIdent on "FTP Server ready"
DeferWelcome on
DefaultServer on

# Enable PAM for authentication...
#
#AuthPAM on

#AuthPAMAuthoritative off

#AuthPAMConfig proftpd

# Port 21 is the standard FTP port.
Port 21

#SocketBindTight on


# Umask 022 is a good standard umask to prevent new dirs
# and files from being group and world writable.
Umask 022

# security fix as recommendet by proftpd-development-team
DenyFilter \*.*/

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Normally, we want files to be overwriteable.
<Directory /*>
AllowOverwrite on
# HiddenStor off
# #HideNoAccess on
</Directory>


PathAllowFilter "^[a-zA-Z0-9_.-]+$"
#PathAllowFilter "^[a-zA-Z0-9~ \*\/,_.-]+$"

PathDenyFilter "(\.ftp)|(\.ht)[a-z]+$"
#PathDenyFilter "\.ftp[a-z]+$"

# Do not allow to pass printf-Formats (security! see documentation!):
#AllowFilter "^[a-zA-Z0-9@~' \*\/,_.-]*$"
#DenyFilter "%"

MaxInstances 30

# Performance: skip DNS resolution when we process the logs...
UseReverseDNS on

# Turn off Ident lookups
IdentLookups off

# Set the maximum number of seconds a data connection is allowed
# to "stall" before being aborted.
TimeoutStalled 120

# Where do we put the pid files?
ScoreboardPath /var/run/proftpd

#
# Logging options
#
TransferLog /var/log/xferlog

# Some logging formats
#
LogFormat default "%h %l %u %t \"%r\" %s %b"
#LogFormat auth "%v [%P] %h %t \"%r\" %s"
#LogFormat write "%h %l %u %t \"%r\" %s %b"

# Log file/dir access
#ExtendedLog /var/log/proftpd.access_log WRITE,READ write

# Record all logins
#ExtendedLog /var/log/proftpd.auth_log AUTH auth

# Paranoia logging level....
ExtendedLog /var/log/proftpd.paranoid_log ALL default

#
# Do a chroot for web-users (i.e. public or www group), but
# do not change root if the user is also in the users group...
#
#DefaultRoot ~/public_html public,!users
#

# Limit login attempts
#MaxLoginAttempts 3

# Users needs a valid shell
RequireValidShell on

#
# Use special Auth files instead....
#
#AuthUserFile /var/proftpd/authfiles/passwd
#AuthGroupFile /var/proftpd/authfiles/group

#
# Use LDAP server - see README.LDAP
#
#LDAPServer "localhost"
#LDAPPrefix "dc=your,dc=domain,dc=top"
#LDAPDN "cn=YourDNUser,dc=your,dc=domain,dc=top"
#LDAPDNPass "YourDNUserPassword"



# uncomment for anonymous...:
#
<Anonymous ~ftp>
# # After anonymous login, daemon runs as:
User ftp
Group nogroup
#
# # We want clients to be able to login with "anonymous" as well as
"ftp"
UserAlias anonymous ftp
#
# # Limit the maximum number of anonymous logins
MaxClients 3
#
# # We want 'welcome.msg' displayed at login, and '.message'
displayed
# # in each newly chdired directory.
DisplayLogin msgs/welcome.msg
DisplayFirstChdir .message
#
# # Deny write operations to all directories, underneath root-dir
# # Default is to allow, so we don't need a <Limit> for read
operations.
<Directory pub>
<Limit WRITE STOR DIR>
DenyAll
</Limit>
</Directory>
# #
# Only uploads into incomming directory are allowed...
<Directory pub/incoming>

Umask 017

<Limit STOR READ>
DenyAll
</Limit>

#... allow file storing, but not other writes
<Limit STOR CWD CDUP>
AllowAll
</Limit>

</Directory>
<Directory etc>
<Limit ALL>
</Limit>
</Directory>

</Anonymous>




< Previous Next >