ProFTPD Limit Problem

    Hi


    I found a problem which can prevent users from deleting their files in htdocs.


    Given
    - customer with domain1.tld and an alias domain2.tld.
    - FTP-User ftp@domain2.tld with home /domain2.tld
    - Customer uses FTP to put a file in domain2.tld/htdocs/test.php
    - Customer cannot delete this file with this FTP-User.


    I went deeper and tried to figure out the reason... because all Limit-Configs seem ok.
    If one of the following is true, then the customer can delete the file:
    - ftp-users home is / (home of domain1.tld)
    - "Include /etc/proftpd/root_domain.conf" is commented
    - "Include /etc/proftpd/imscp/*" is commented


    This looks strange... only if both config files with the Limit directives are loaded, then the problem caan occur.


    And inside theese files: customer can delete when either changing the line
    <Directory ~/htdocs>
    to
    <Directory ~/htdocs1>


    or the line
    <Directory /var/www/virtual/domain1.tld/domain2.tld/htdocs/*>
    to
    <Directory /var/www/virtual/domain1.tld/domain2.tld/htdocs1/*>


    (should be clear where theese lines are written).


    first one is from a deny rule, the second one is a allow rule...


    It's really strange!


    Can others confirm?


    /Joxi

    Edited once, last by Nuxwin ().

    I'll have a look ASAP. Proftpd limit seem to be a remaining problem.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    Hi Joxi..
    Sorry for pushing this thread.. But i found ths thread with google.. :)
    I have the same problem on a fresh installation...


    A domin user can do anything without a problem.
    But a ftpuser for a subdomain, alias or subalias can't delete a file or directory.


    Now i tested since 20:00 h..
    The problem is this configuration file under /etc/proftpd/imscp:

    Code
    1. <Directory /var/www/virtual/myDomain.tld/test.de/cgi-bin> <Limit RMD RNFR DELE XRMD SITE_RMDIR> DenyAll </Limit></Directory><Directory /var/www/virtual/myDomain.tld/test.de/cgi-bin/*> <Limit RMD RNFR DELE XRMD SITE_RMDIR> AllowAll </Limit></Directory><Directory /var/www/virtual/myDomain.tld/test.de/htdocs> <Limit RMD RNFR DELE XRMD SITE_RMDIR> DenyAll </Limit></Directory><Directory /var/www/virtual/myDomain.tld/test.de/htdocs/*> <Limit RMD RNFR DELE XRMD SITE_RMDIR> AllowAll </Limit></Directory><Directory /var/www/virtual/myDomain.tld/test.de/phptmp> <Limit RMD RNFR DELE XRMD SITE_RMDIR> DenyAll </Limit></Directory><Directory /var/www/virtual/myDomain.tld/test.de/phptmp/*> <Limit RMD RNFR DELE XRMD SITE_RMDIR> AllowAll </Limit></Directory>


    Now i'd change the config file to:


    And now it works for me... Can you test this, too and check wheter there is no security problem.
    I will create a ticket for this issue


    Thanks Sascha

    Hi Sascha


    Well - the reason why we have the Limits set is: the user should not delete some folders: htdocs, cgi-bin and phptmp.. because there may be problems when restarting apache (or other services).
    So - if you allow users to delete "htdocs" - then it's your problem.


    I also saw the problem with the htdocs rule - but you also noticed that if you disable the "root_domain.conf" then it's also working? So we have a problem with two proftp-conf files which obviously have some dependancies...


    But - I have no solution yet...
    One may be to create for every (sub)domain(alias) a conf-file for proftpd - but this will make proftp more slow (some users already see problem with many conf-files...).


    The only solution I see is changing the rights of the users root folder... don't allow the user to write anything directly in the users home...


    /var/www/virtual/domain.tld should not be writable by the user domain.tld.
    Only some subfolders should be writable: htdocs and others and some aditional folders e.g. "private" oder "data"... for "personal use"....


    And then I'd also suggest to put every additional domain (alias... and subdomains) in an extra folder... eg
    /var/www/virtual/domain.tld/addon-domains
    or
    /var/www/virtual/domain.tld/sub
    etc...


    *OR* - to implement the independency user/domain - put all domains in an extra folder....
    /var/www/virtual/userx/domains/dom1.tld


    Of course also with restricted write permissions....


    We could start with only restricted write perms in /var/www/virtual/domain.tld - the other options are for later...



    what do others think?
    /J

    Hi...
    We are working with the solution to put every sub, alias or sub alias under
    /var/www/virtual/domain.tld/


    I think the LIMIT's nearly correct..
    Take a look http://www.proftpd.org/docs/howto/Directory.html


    I think the solution is very close to us..


    I'm with you to change to user login and then to put every domain under the user.. But at the moment is it to hard to realize...

    Hi Sascha


    IMHO the problem is that there are several LIMIT sections have to be mergd:
    the ones from root_domain.conf


    <Directory ~/htdocs>
    <Limit RMD RNTO DELE XRMD>
    DenyAll
    </Limit>
    </Directory>
    <Directory ~/htdocs/*>
    <Limit RMD RNTO DELE XRMD>
    AllowAll
    </Limit>
    </Directory>


    and the ones from the alias-or-subdom.conf


    <Directory /var/www/virtual/dom.tld/sub/htdocs>
    <Limit RMD RNTO DELE XRMD>
    DenyAll
    </Limit>
    </Directory>
    <Directory /var/www/virtual/dom.tld/sub/htdocs/*>
    <Limit RMD RNTO DELE XRMD>
    AllowAll
    </Limit>
    </Directory>


    So - for a ftp user which has the original home of the customer as home (/var/www/virtual/dom.tld) everything is ok - for a ftp user which has /var/www/virtual/dom.tld/sub/ as home the directives tell "the same" but with different paths (relative and absolute) - and it seems that there's a problem.
    Maybe this is a problem of proftpd - Maybe we have to ask there and tell the story there...???


    That's why I wrote: without the root_domain.conf there's no problem - but then you need another extra conf file foer every main domain. and this may be a problem if you look at the time proftpd loads or when a ftp user logs in....


    UPD: maybe it's sufficiont to change the root_domain.conf to something like this:


    <Directory /var/www/virtual/*/htdocs>
    <Limit RMD RNTO DELE XRMD>
    DenyAll
    </Limit>
    </Directory>
    <Directory /var/www/virtual/*/htdocs/*>
    <Limit RMD RNTO DELE XRMD>
    AllowAll
    </Limit>
    </Directory>


    The * in between stays for *one* folder - the dom.tld... so we won't have two directives telling the same... maybe this solves our problem...
    Can someone check? My virtual test machine is gone... need to make a new one...


    /J

    Edited once, last by joximu ().


    Hey Joxi!!!
    Nice idea and i think this is the solution!
    What i have done.. I had edited the file for a subdomain ftpuser and restarted the proftpd


    Now it is possible to upload files, create folder and delete them all. At the moment i-MSCP creates for every sub, alias and subalias ftpuser an limitation file.
    At the moment we can edit the template to give a solution to the users. but for the future we only need one file for one customer!

    Hi Joxi..
    Now i'd tested your config.
    I'd changed inside the root_domain.conf to

    Code
    1. <Directory /var/www/virtual/*/htdocs> <Limit RMD RNFR DELE XRMD SITE_RMDIR> DenyAll </Limit></Directory><Directory /var/www/virtual/*/htdocs/*> <Limit RMD RNFR DELE XRMD SITE_RMDIR> AllowAll </Limit></Directory>


    After this change you must remove the include in the proftpd.conf:

    Code
    1. Include /etc/proftpd/imscp/*


    Otherwise proftpd will rais an error

    Code
    1. Starting ftp server: proftpd - processing configuration directory '/etc/proftpd/imscp' - Fatal: <Directory>: <Directory> section already configured for '/var/www/virtual/*/htdocs' on line 12 of '/etc/proftpd/imscp/dev-domain.tld.test' failed!


    But if i remove this line the subdomain ftpuser is able to delete the htdocs folder!


    Now i'd set the root_domain.conf back to:

    Code
    1. <Directory ~/htdocs> <Limit RMD RNFR DELE XRMD SITE_RMDIR> DenyAll </Limit></Directory><Directory ~/htdocs/*> <Limit RMD RNFR DELE XRMD SITE_RMDIR> AllowAll </Limit></Directory>


    But the line

    Code
    1. Include /etc/proftpd/imscp/*


    is still removed...
    I can upload, creating dirs aso and i can delete them all. But i can't delete "htdocs". And i think that's the point.
    I did all this with the subdomain ftpuser.
    I'd after deleting the "htdocs" created it with this config and i wasn't able to delete it again.
    So the root_domain.conf is all what we need.. No including the rest.


    Can you test this too?

    Hi Sascha


    I had some time to have a look at this.


    You say - just leave the root_domain.conf as is and disable the configs in imscp (comment the "Include /etc/proftpd/imscp/*" line...).


    Well - this does work for the htdocs in the ftp users home - but not if a ftp user (with home = domain root) tries to delete the htdocs from a subdomain or domain alias.


    But my solution with /var/www/virtual/*/htdocs/* doesn't seem to work either....


    I think it has to do with the rules if some directives are overlapping... and it's not easy to trace... (would be nice to have a map what limit proftpd sees internally...).


    /J