SUSE-pure-ftpd and anonymous ftp

stamcose · October 11, 2012, 12:35am

I have for years been using pure-ftpd for non-anonymous ftp. But when I now
want to use also anonymous ftp there are difficulties!


mats@linux-7bll:~> ftp 192.168.1.117
Connected to 192.168.1.117.
220-Welcome to Pure-FTPd.
220-You are user number 4 of 50 allowed.
220-Local time is now 05:54. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 360 minutes of inactivity.
Name (192.168.1.117:mats): ftp
230 Anonymous user logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/" is your current location
ftp> cd /srv/ftp
550 Can't change directory to /srv/ftp: Permission denied
ftp>

Reading

http://download.pureftpd.org/pub/pure-ftpd/doc/README

I understand that anonymous ftp should be possible as long as the option -E
is not set.

The SUSE-file /etc/passwd has a line


ftp:x:40:49:FTP account:/srv/ftp:/bin/bash

defining the directory /srv/ftp as the home directory of user “ftp”

When using xinetd with pure-ftpd the server-arguments for the latter has
to be put in /etc/xined.d


# default: off
# description: The ftpd server serves FTP connections. It uses normal, \
#       unencrypted usernames and passwords for authentication. This ftpd is \
#       the pure-ftpd.
#    ** NOTE ** when using pure-ftpd from xinetd the arguments to control
#               it's behaviour should be added here in this file in the
#               "server_args" line since the configuration file
#               /etc/pure-ftpd.conf is only for standalone pure-ftpd.
#               The command "/usr/sbin/pure-config-args /etc/pure-ftpd.conf"
#               will print the arguments needed for behaviour like standalone
#               pure-ftpd.
service ftp
{
#    server_args =
    socket_type     = stream
    protocol        = tcp
    wait            = no
    user            = root
    server          = /usr/sbin/pure-ftpd
    server_args     = -I 360
}

Except for the “idle time” set to 360 minutes this should be all default
options, no fatal “-E” option

How can the situation be corrected?

stamcose · October 11, 2012, 9:24am

It seems to be a pure SUSE setup problem, nothing then to do with pure-ftpd


ftp@linux-7bll:/> su
Password: 
linux-7bll:/ # ls -l /srv/ftp/.bashrc
-rwxrwxrwx 1 root root 0 Oct 10 14:54 /srv/ftp/.bashrc
linux-7bll:/ # su ftp
bash: /srv/ftp/.bashrc: Permission denied

Every user then needs a “.bashrc” file in its home directory. For user “ftp” the “passwd” file this home directory is set to “/srv/ftp”. As “root” I defined an empty “/srv/ftp/.bashrc” with permission for everything but I still get “Permission denied”. In the SUSE setup this .bashrc exists but is practically empty:


# Sample .bashrc for SuSE Linux
# Copyright (c) SuSE GmbH Nuernberg

# There are 3 different types of shells in bash: the login shell, normal shell
# and interactive shell. Login shells read ~/.profile and interactive shells
# read ~/.bashrc; in our setup, /etc/profile sources ~/.bashrc - thus all
# settings made here will also take effect in a login shell.
#
# NOTE: It is recommended to make language settings in ~/.profile rather than
# here, since multilingual X sessions would not work properly if LANG is over-
# ridden in every subshell.

# Some applications read the EDITOR variable to determine your favourite text
# editor. So uncomment the line below and enter the editor of your choice :-)
#export EDITOR=/usr/bin/vim
#export EDITOR=/usr/bin/mcedit

# For some news readers it makes sense to specify the NEWSSERVER variable here
#export NEWSSERVER=your.news.server

# If you want to use a Palm device with Linux, uncomment the two lines below.
# For some (older) Palm Pilots, you might need to set a lower baud rate
# e.g. 57600 or 38400; lowest is 9600 (very slow!)
#
#export PILOTPORT=/dev/pilot
#export PILOTRATE=115200

test -s ~/.alias && . ~/.alias || true

stamcose · October 13, 2012, 10:30pm

Problem solved but not really understood

The home directory for user “ftp” as set by the “passwd” file is /srv/ftp as I explained in my post. The owner of directory /srv and directory /srv/ftp is “root”. User “ftp” must be given not only have read/write permission to both directories but also execution permission??


mats@linux-7bll:~> su
Password: 
linux-7bll:/home/mats # cd /
linux-7bll:/ # chmod 777 srv
linux-7bll:/ # cd srv
linux-7bll:/srv # chmod 777 ftp
linux-7bll:/srv # su mats
mats@linux-7bll:/srv>

That write permission on /srv/ftp could be needed for uplink is understandable but execution permission?

Anyway, with permissions set in this way anonymous ftp works as expected!


mats@linux-7bll:~> ftp 192.168.1.117
Connected to 192.168.1.117.
220-Welcome to Pure-FTPd.
220-You are user number 5 of 50 allowed.
220-Local time is now 04:19. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 360 minutes of inactivity.
Name (192.168.1.117:mats): ftp
230 Anonymous user logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Extended Passive mode OK (|||36971|)
150 Accepted data connection
-rw-r--r--    1 0          0                   6 Apr  1  2012 prova
-rw-r--r--    1 40         49                 56 Oct 13 03:50 yahoo.txt
226-Options: -l 
226 2 matches total
ftp>

It is also worth pointing out that the LINUX client always requests “Passive mode”. That is why the firewall on the server must be switched off, the firewall used for SUSE Linux is not compatible with “Passive mode”.

robin_listas · October 13, 2012, 11:58pm

On 2012-10-13 22:36, stamcose wrote:

> That write permission on /srv/ftp could be needed for uplink is
> understandable but execution permission?

Executable permission on a directory changes meaning: it means allowing
to cd to that directory. It is called “search directory” in the manual.

> It is also worth pointing out that the LINUX client always requests
> “Passive mode”. That is why the firewall on the server must be switched
> off, the firewall used for SUSE Linux is not compatible with “Passive
> mode”.

No, not true.

–
Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

robin_listas · October 14, 2012, 12:28am

On 2012-10-13 23:58, Carlos E. R. wrote:
> On 2012-10-13 22:36, stamcose wrote:

>> It is also worth pointing out that the LINUX client always requests
>> “Passive mode”. That is why the firewall on the server must be switched
>> off, the firewall used for SUSE Linux is not compatible with “Passive
>> mode”.
>
> No, not true.


minas-tirith:~ # ftp anonymous@Telcontar
Connected to Telcontar.valinor.
220 "Welcome to Telcontar FTP service."
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive on
Passive mode: on; fallback to active mode: off.
ftp> dir
229 Entering Extended Passive Mode (|||30008|).
150 Here comes the directory listing.
-rw-r--r--    1 0        0             174 Feb 12  2006 hello
-rw-r--r--    1 0        0             173 Feb 12  2006 hello~
drwx------    4 0        0            4096 Aug 11 16:46 pub
226 Directory send OK.
ftp>
ftp> passive off
Passive mode: off; fallback to active mode: off.
ftp> dir
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             174 Feb 12  2006 hello
-rw-r--r--    1 0        0             173 Feb 12  2006 hello~
drwx------    4 0        0            4096 Aug 11 16:46 pub
226 Directory send OK.
ftp>

Both modes working, both client and server are Linux boxes and both
firewalls are up.

–
Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

stamcose · October 14, 2012, 12:13pm

Firewall on both SUSE-Linux computers over YaST configured to accept service “pure-ftpd” in both “inner zone” and “outer zone”


mats@linux-orph:~> ftp 192.168.1.117
Connected to 192.168.1.117.
220-Welcome to Pure-FTPd.
220-You are user number 2 of 50 allowed.
220-Local time is now 17:25. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 360 minutes of inactivity.
Name (192.168.1.117:mats): ftp
230 Anonymous user logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Extended Passive mode OK (|||2640|)
^C
receive aborted. Waiting for remote to finish abort.
ftp> passive off
Passive mode: off; fallback to active mode: off.
ftp> ls
200 PORT command successful
^C
421 Service not available, user interrupt. Connection closed.
ftp>

Firewall up on server and off on client:


mats@linux-orph:~> ftp 192.168.1.117
Connected to 192.168.1.117.
220-Welcome to Pure-FTPd.
220-You are user number 2 of 50 allowed.
220-Local time is now 17:32. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 360 minutes of inactivity.
Name (192.168.1.117:mats): ftp
230 Anonymous user logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Extended Passive mode OK (|||49631|)
^C
receive aborted. Waiting for remote to finish abort.
ftp> passive off
Passive mode: off; fallback to active mode: off.
ftp> ls
200 PORT command successful
150 Connecting to port 24112
-rw-r--r--    1 0          0                   6 Apr  1  2012 prova
-rw-r--r--    1 40         49                 56 Oct 13 03:50 yahoo.txt
226-Options: -l
226 2 matches total
ftp>

Firewall off on server and up on client:


mats@linux-orph:~> ftp 192.168.1.117
Connected to 192.168.1.117.
220-Welcome to Pure-FTPd.
220-You are user number 2 of 50 allowed.
220-Local time is now 17:41. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 360 minutes of inactivity.
Name (192.168.1.117:mats): ftp
230 Anonymous user logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Extended Passive mode OK (|||13845|)
150 Accepted data connection
-rw-r--r--    1 0          0                   6 Apr  1  2012 prova
-rw-r--r--    1 40         49                 56 Oct 13 03:50 yahoo.txt
226-Options: -l
226 2 matches total
ftp> passive off
Passive mode: off; fallback to active mode: off.
ftp> ls
200 PORT command successful
^C
421 Service not available, user interrupt. Connection closed.
ftp>

Conclusion:

With the firewall setting performed by YaST (service permitted: “pureftpd”) either the client or the server must have the firewall switched off.

If the client is firewall-free active ftp is fine.
If the server is firewall-free passive ftp is fine.

The setting of the firewall from YaST is no good!

stamcose · October 14, 2012, 12:39pm

And my MS Windows computer’s ftp-client-system does not know the command “passive on/off”. It always uses active ftp and the firewall is by default set such that the server can open the required port. Passive ftp is therefore superfluous!

robin_listas · October 14, 2012, 3:48pm

On 2012-10-14 12:16, stamcose wrote:

> If the client is firewall-free active ftp is fine.
> If the server is firewall-free passive ftp is fine.
>
> The setting of the firewall from YaST is no good!

Well, take control and set it up yourself, then report the bug in bugzilla.

–
Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)