I've read through hordes of forums on such a common problem with ProFTP, yet have not been able to find a solid fix. The issue: cannot login to server via FTP with regular accounts already existing on system (however anonymous logins work fine, and I am able to login via SSH with all existing accounts). The server: Fedora 6 The firewall: External firewall and internal iptables allow for ports 20,21,20000:20005 (passive ports). The install: yum install proftpd Here is what is included in /etc/pam.d/ftp #%PAM-1.0 auth required pam_unix.so nullok account required pam_unix.so session required pam_unix.so Here is what is included in /etc/pam.d/proftpd - (I added the same 3 lines from ftp to the bottom of this file, tried it with and without the previous top 5 lines) #%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth required pam_stack.so service=system-auth auth required pam_shells.so account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth auth required pam_unix.so nullok account required pam_unix.so session required pam_unix.so Please help, anything you can suggest would be appreciated.
Just to follow up, the following users are listed in /etc/passwd as: (usernames have been hidden for security) *****pets:x:501:501::/home/*****pets:/sbin/nologin *****fit:x:502:502::/home/*****fit:/sbin/nologin *****affiliates:x:503:503::/home/*****affiliates:/sbin/nologin *****health:x:504:504::/home/*****health:/sbin/nologin No longer are they accessible via SSH as I changed their shells to /nologin. Still not able to login via ftp. The home directories belong to the respective users, and are 755 so that they can be read by others.
Permission Denied Have determined from the proftpd.log that permission is being denied to the users home directories. Was able to login successfully when changing DefaultRoot to /var/ftp/pub but when it is set to ~ (it does resolve to the correct folder) it is denied permission. I checked all directory permissions and each folder within home belonged to the respective user, and perms were set to 755. This is what I am seeing in the proftpd.log USER USER *****fit: Login successful. notice: unable to use '~/' [resolved to '/home/*****fit/']: Permission denied Preparing to chroot to directory '~/' *****fit chroot("~/"): No such file or directory error: unable to set default root directory FTP session closed.
Disabled SELinux, thanks Falko. Honestly did not even think of that. I must have totally overlooked that. Now, one last question. This is my scenario: This server is an e-commerce website running a MySQL database (localhost access only), Apache 2.2+, PHP5+. SSH2 only access and only from one ip address (defined in iptables and also protected by an external hardware firewall). By disabling SELinux, am I severly comprimising the overall security and intergrity of the server? Should I instead be considering another alternative, such as if I can't run proftpd with SELinux, then maybe not having ftp access at all? The server requires 100% PCI compliance. Security is of the utmost concern. Please let me know your honest opinion... do I absolutely need SELinux?
Concerned Okay, So I've disabled SELinux to enable proftpd to work. By disabling SELinux, mysqld was no longer able to write to /tmp/ I chmod 777 /tmp/ and now mysqld can access it. Big concern, as now I've disabled SELinux and chmod 777 /tmp/. Any other suggestions?
