Web-FTP Directory Protection

I have tried protecting a directory (here images_layout2) using Web-FTP.

Web-FTP says: FTP: Failed to write /web/images_layout2/.htpasswd

However .htpasswd exists afterwards, but is empty:

Code:

-rw-r--r--  1 webXX_admin webXX    0 Mar 21 18:18 .htpasswd

Any ideas?

PS. Is the problem with using Web-FTP on large accounts solved already somehow?

 

I am not very sure if that is the problem about what's going on here...
I guess it's a proftp issue. (v1.2.10 with Debian Sarge)
I am also sometimes having trouble using mod_tls which produces errors on binary mode data connections in ssl mode *only*. Well this is off-topic, but anyway when I try to create this directory protection, proftp debug mode says the following.
I have now completely disabled SSL (and I am also convinced ISPConfig did not use FTP over SSL to connect) but still there are errors.

Code:

localhost.localdomain (127.0.0.1[127.0.0.1]) - USER webxx_admin: Login successful.
localhost.localdomain (127.0.0.1[127.0.0.1]) - opening TransferLog '/var/log/xferlog'
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "getpwnam" to module mod_radius
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "getpwnam" to module mod_auth_file
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "getpwnam" to module mod_auth_unix
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "setpwent" to module mod_radius
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "setpwent" to module mod_auth_file
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "setpwent" to module mod_auth_unix
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "setgrent" to module mod_radius
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "setgrent" to module mod_auth_file
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "setgrent" to module mod_auth_unix
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "getpwent" to module mod_radius
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "getpwent" to module mod_auth_file
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "getpwent" to module mod_auth_unix
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "getgrent" to module mod_radius
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "getgrent" to module mod_auth_file
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching auth request "getgrent" to module mod_auth_unix
localhost.localdomain (127.0.0.1[127.0.0.1]) - Preparing to chroot() the environment, path = '/local/home/www/webxx'
localhost.localdomain (127.0.0.1[127.0.0.1]) - Environment successfully chroot()ed.
localhost.localdomain (127.0.0.1[127.0.0.1]) - in dir_check_full(): path = '/', fullpath = '/local/home/www/webxx/'.
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_cap
localhost.localdomain (127.0.0.1[127.0.0.1]) - mod_cap/1.0: capabilities '= cap_net_bind_service+ep'
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_ifsession
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_readme
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_delay
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_radius
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_tls
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_ratio
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_quotatab
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_log
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_ls
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD command 'PASS (hidden)' to mod_auth
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching LOG_CMD command 'PASS (hidden)' to mod_log
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching LOG_CMD command 'PASS (hidden)' to mod_ratio
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'TYPE I' to mod_rewrite
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'TYPE I' to mod_tls
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'TYPE I' to mod_core
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'TYPE I' to mod_core
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching CMD command 'TYPE I' to mod_xfer
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching LOG_CMD command 'TYPE I' to mod_log
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'PORT 127,0,0,1,178,103' to mod_rewrite
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'PORT 127,0,0,1,178,103' to mod_tls
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'PORT 127,0,0,1,178,103' to mod_core
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'PORT 127,0,0,1,178,103' to mod_core
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching CMD command 'PORT 127,0,0,1,178,103' to mod_core
localhost.localdomain (127.0.0.1[127.0.0.1]) - in dir_check_full(): path = '/', fullpath = '/local/home/www/webxx/'.
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching LOG_CMD command 'PORT 127,0,0,1,178,103' to mod_log
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'STOR /web/images_layout2/.htpasswd' to mod_rewrite
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'STOR /web/images_layout2/.htpasswd' to mod_tls
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'STOR /web/images_layout2/.htpasswd' to mod_core
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'STOR /web/images_layout2/.htpasswd' to mod_core
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'STOR /web/images_layout2/.htpasswd' to mod_ratio
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'STOR /web/images_layout2/.htpasswd' to mod_quotatab
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching PRE_CMD command 'STOR /web/images_layout2/.htpasswd' to mod_xfer
localhost.localdomain (127.0.0.1[127.0.0.1]) - in dir_check_full(): path = '/web/images_layout2/.htpasswd', fullpath = '/local/home/www/webxx/web/images_layout2/.htpasswd'.
localhost.localdomain (127.0.0.1[127.0.0.1]) - in dir_check_full(): setting umask to 0022 (was 0022)
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching CMD command 'STOR /web/images_layout2/.htpasswd' to mod_xfer
localhost.localdomain (127.0.0.1[127.0.0.1]) - active data connection opened - local  : 127.0.0.1:20
localhost.localdomain (127.0.0.1[127.0.0.1]) - active data connection opened - remote : 127.0.0.1:45671
==> localhost.localdomain (127.0.0.1[127.0.0.1]) - Transfer aborted after 17 bytes in 0.00 seconds
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD_ERR command 'STOR /web/images_layout2/.htpasswd' to mod_radius
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching POST_CMD_ERR command 'STOR /web/images_layout2/.htpasswd' to mod_quotatab
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching LOG_CMD_ERR command 'STOR /web/images_layout2/.htpasswd' to mod_log
localhost.localdomain (127.0.0.1[127.0.0.1]) - dispatching LOG_CMD_ERR command 'STOR /web/images_layout2/.htpasswd' to mod_xfer

I guess upgrading to etch (really soon now) with an updated proftp might just fix it

Also, why do you actually use FTP in the background? It's cool to call it "WebFTP" but since ISPConfig is not designed for multiple physical machines, just accessing files locally would be enough, wouldn't it?

Regards,
Marc

 

What's in your /etc/proftpd.conf?

You need to access the files with the correct user due to ownerships and permissions, that's why we use FTP. The ISPConfig web server runs under the user admispconfig, so if we tried to access files locally, this would happen as admispconfig and will lead to permission problems.

 

Code:

ServerName                      "blah"
ServerType                      standalone
DeferWelcome                    off

MultilineRFC2228                on
DefaultServer                   on
ShowSymlinks                    on

TimeoutNoTransfer               600
TimeoutStalled                  600
TimeoutIdle                     1200

DisplayLogin                    welcome.msg
DisplayFirstChdir               .message
ListOptions                     "-l"

DenyFilter                      \*.*/

Port                            21

MaxInstances                    30

# Set the user and group that the server normally runs at.
User                            nobody
Group                           nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask                           022  022
# Normally, we want files to be overwriteable.
AllowOverwrite                  on

DelayEngine                     off

DefaultRoot ~

IdentLookups            off
UseReverseDNS           off
TransferLog             /var/log/xferlog

<IfModule mod_tls.c>
      TLSEngine on
      TLSLog /var/log/proftpd/proftpd_tls.log
      TLSRequired off
      TLSVerifyClient off
      TLSRSACertificateFile /etc/ftpcert/host.cert
      TLSRSACertificateKeyFile /etc/ftpcert/host.key
      TLSProtocol TLSv1 # only needed in main config
</IfModule>

Include /etc/proftpd_ispconfig.conf # this file now follows:

DefaultAddress 127.0.0.1
<VirtualHost 88.198.xxx>
        DefaultRoot             ~
        AllowOverwrite          on
        Umask                   002
</VirtualHost>
<VirtualHost 88.198.xxx>
        DefaultRoot             ~
        AllowOverwrite          on
        Umask                   002
        <Anonymous /local/home/www/webx/ftp>
          User                          webx_anonftp
          Group                         webx_anonftp
          UserAlias                     anonymous webx_anonftp
          UserAlias                     guest webx_anonftp
          MaxClients                    10
          <Directory *>
            <Limit WRITE>
              DenyAll
            </Limit>
          </Directory>
          <Directory /local/home/www/webx/ftp/incoming>
            Umask                       002
            <Limit STOR>
              AllowAll
            </Limit>
            <Limit READ>
              DenyAll
            </Limit>
          </Directory>
        </Anonymous>
</VirtualHost>
<VirtualHost 88.198.xxx>
        DefaultRoot             ~
        AllowOverwrite          on
        Umask                   002
</VirtualHost>
<VirtualHost 88.198.xxx>
        DefaultRoot             ~
        AllowOverwrite          on
        Umask                   002
</VirtualHost>
<VirtualHost 88.198.xxx>
        DefaultRoot             ~
        AllowOverwrite          on
        Umask                   002
</VirtualHost>
<VirtualHost 88.198.xxx>
        DefaultRoot             ~
        AllowOverwrite          on
        Umask                   002
</VirtualHost>

I have also started a thread in the proftp forums as this might be a proftp issue...
http://forums.proftpd.org/smf/index.php?topic=2809.0

 

Have you tried to remove

Code:

<IfModule mod_tls.c>
      TLSEngine on
      TLSLog /var/log/proftpd/proftpd_tls.log
      TLSRequired off
      TLSVerifyClient off
      TLSRSACertificateFile /etc/ftpcert/host.cert
      TLSRSACertificateKeyFile /etc/ftpcert/host.key
      TLSProtocol TLSv1 # only needed in main config
</IfModule>

from the configuration?

 

Yeah I tried that one too already. Without success.