FTP User writes with root permission

Discussion in 'General' started by plusQ, Oct 24, 2017.

  1. plusQ

    plusQ New Member HowtoForge Supporter

    Hello,
    I created an FTP-User.
    Now I log in with Filezilla an all folders and files that I create get the permission root:root (0 0)

    Is that normal??
     
  2. adamjedgar

    adamjedgar Member

    So your ftp user is root or just has root privileges?

    I thought Root login is supposed to be part of the "denied ftp users list", however have you created a root user with a different name?

    The solution I imagine is you need to change your users group to an admin group and check/reset its privileges to ensure they are not so high.

    Off the top of my head i dont remember the procedure, but a bit of googling will sort it.(im on my phone in bed right now sorry cant provide more info at this time)
     
    Last edited: Oct 24, 2017
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Where did you create that FTP user?

    An FTP user created in ISPConfig is never root and as @adamjedgar mentioned, you can not even create a root FTP user manually without removing the root user from the denied usernames first.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    And maybe you mix up FTP and SFTP. SFTP is not FTP, it is SSH and you can login as root user by SSH so it is possibe to create flders as root user with an FTP client that connects by SSH / SFTP by default but not with a client that connects with FTP or FTPS.
     
  5. plusQ

    plusQ New Member HowtoForge Supporter

    my old Server with Debian 8 crashed, because the system harddrive was full. After deleting some things I had 50% space left again. But Postfix doesn't work anymore and I didn't get it work again.
    So I installed a new server with Debian 9.

    I used your tutorial with Debian 9. Then I copied the ISPC Database, all websites, and the rest database to the new server.

    After a resync in ISPConfig... it seems all working.

    I didn't change other things as in the tutorial

    where can I find
    this?

    I created an new user in FTP in ISPC.


    it is. Every user I create gives the UIDs=0 and GIDs=0.

    the user can not go out of the customers webfolder, but in it... its root
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so you are talking about an installation that you migrated manually from a broken system? Because it's not enough to copy just the ispconfig db and websites over when you migrate a system manually. At least you have to copy the web users and client groups from /etc/passwd, /etc/group, /etc/shadow and /etc/gshadow as well, otherwise websites might get different uid's on the new system which may corrupt the permissions of websites and may lead to unpredictable results in the permission system.

    Please take a look into the ispconfig mysql database (dbispconfig), there you can find the ftp users in the ftp_user table. Which values does the affected ftp user has in the uid and gid field there?
     
  7. plusQ

    plusQ New Member HowtoForge Supporter

    I thought that I have to copy these files, too, but after the resync... ISPC created them...

    I just picked some users to controll, but it seems that the resync did it well.

    In ISPC:
    My first Systemuser has the UID=1 and Groups 2,5,4
    My Client has the UID=143 and Groups 18

    In the Database, table "ftp_user"
    Code:
    ftp_user_id: 188
    sys_userid: 1
    sys_groupid: 18
    
    Every new FTP User I create, gets "sys_userid: 1"

    this is the customer in /etc/passwd
    Code:
    web152:x:10152:10152::/var/www/clients/client143/web152:/bin/false
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Not the files, the users in the files. copying the files would break the Linux system.

    That's right, as a last resort when essential config is missing, ispconfig will recreate user with the same names (but not nescessarily the same uid's as this information is stored in the password file only and not the ISPConfig database. So the users may have different UID's now, so that they do not match the files that you copied.

    If they are correct, then it's ok.

    That's not what I'm talking about. This are internal ISPConfig ID's and not related to the file system permissions. The relevant fields are uid and gid.

    That's fine and as it has to be and this ID is not related to FTP user permissions in any way.
     
  9. plusQ

    plusQ New Member HowtoForge Supporter

    So you mean this??
    Code:
    id web152

    This is an SQL Dump of FTP_USER:

     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, this FTP user is Linux user web152 and group client143 when you login with that user trough FTP.
     
  11. plusQ

    plusQ New Member HowtoForge Supporter

    but when I log in to control with SSH, the folder /var/www/clients/client143/web152 shows the folder and file persmission are root:root after I created a new folder/file with the FTP-User
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    The folder /var/www/clients/client143/web152 must be owned by root and you can not create any files or folders directly in /var/www/clients/client143/web152 as this folder should be locked with the immutable attribute, so not even root can create a file or folder there without removing the attribute on the shell first. Files and folders can be created only in the web and private and temp folder of the site by an FTP or SSH user of the website.
     
  13. plusQ

    plusQ New Member HowtoForge Supporter

    Yes, sorry, I did create it in /web/ - I forgot
     
  14. adamjedgar

    adamjedgar Member

    @plusQ...i think denied users is in /sbin/nologin

    Before performing the following command, i havent a clue what administrative users you have on your system...ie whether you have a sudoer if root is denied login access. So dont perform the following without that knowledge as i am not sure if you would get locked out of your system administrator account or not if a sudoer doesnt exist???

    i am no expert but i think the following might be a way of ensuring root cannot login...
    # usermod -s /sbin/nologin user (in your case you would change "user" to root)

    To allow user to login...
    # usermod -s /bin/bash user (bob, phil, john, etc etc)
     
    Last edited: Oct 26, 2017

Share This Page