• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved System user has access to server root using FTP

Bjorn

Bjorn

Basic Pleskian
Hi,

We have several system users that are added through CLI adduser [username]. I know this is wrong, nevermind how and why.

Everything works except with FTP the users are able to traverse up the dir tree to the server root...

When I create a new subscription everything is fine.
When I add an additional FTP user in the same domain all is ok.

What I've done/checked so far:
- I tried several plesk repair utilities, all return OK.
- Update system user in Plesk panel -> domain -> Web Hosting Access (change username)
- checked /etc/passwd / home dir is ok and /bin/false is set.
- checked DB psa -> sys_users: home value is correct
- xinetd.service restart
- Checked /etc/proftpd.conf, default group:
<Directory /var/www/vhosts>
GroupOwner psacln
</Directory>

Something to note.
- When I use the problem system user in FileZilla, I do arrive in the correct vhosts dir, but I'm still able to go up the tree. The Remote site value is: /var/www/vhosts/domain.com, this should be / and arrive in vhosts/domain dir.
- When I use the problem system user in Atom (code editor) FTP add-on, I arrive in the server root.

I'm guessing there's a config issue for these system users somewhere?
Can I repair or update the system user to fix this, or what config should I check?

Thanks!
 
Do you have the following directive in /etc/proftpd.conf:
Code: 
DefaultRoot     ~               psacln
?

BTW, you only arrive to the correct vhost directory in FileZilla because of the Default Remote Directory setting, but that's the client side setting in the FileZilla itself and can be set to anything. This has no relevance...
 
Last edited:
Hi Ales,

No I don't see that directive.

Note: Most (existing) users work just fine, only a few users that are added through adduser have this problem.

My proftpd.conf file:

Code: 
# Enable PAM authentication
AuthPAM on
AuthPAMConfig proftpd
AuthGroupFile   /etc/group

IdentLookups off

<IfModule mod_tls.c>
        # common settings for all virtual hosts
        TLSEngine on
        TLSRequired off

        TLSLog /var/log/plesk/ftp_tls.log

        TLSRSACertificateFile /usr/local/psa/admin/conf/httpsd.pem
        TLSRSACertificateKeyFile /usr/local/psa/admin/conf/httpsd.pem

        # Authenticate clients that want to use FTP over TLS?
        TLSVerifyClient off

        # Allow SSL/TLS renegotiations when the client requests them, but
        # do not force the renegotations.  Some clients do not support
        # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
        # clients will close the data connection, or there will be a timeout
        # on an idle data connection.
        TLSRenegotiate none

        # As of ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections
        # that reuse the SSL session of the control connection, as a security measure.
        # Unfortunately, there are some clients (e.g. curl) which do not reuse SSL sessions.
        TLSOptions NoSessionReuseRequired
</IfModule>
</Global>

# Port 21 is the standard FTP port.
Port                            21
# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances                    30

#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.

#Include directive should point to place where FTP Virtual Hosts configurations
#preserved

ScoreboardFile /var/run/proftpd.scoreboard

#Change default group for new files and directories in vhosts dir to psacln

<Directory /var/www/vhosts>
        GroupOwner      psacln
</Directory>

UseReverseDNS off

Include /etc/proftpd.d/*.conf
 
Sure:

ssl.conf
Code: 
<IfModule mod_tls.c>
    TLSCipherSuite HIGH:!aNULL:!MD5
    TLSProtocol TLSv1 TLSv1.1 TLSv1.2
</IfModule>

50-plesk.conf
Code: 
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

# Global section
<Global>
<IfModule mod_tls.c>
    TLSEngine on
    TLSRequired off
</IfModule>
</Global>

passive_ports.conf
Code: 
PassivePorts 49152 65535
 
The first part of the /etc/proftpd.conf seems to be missing on your server, compare:
Code: 
#
# To have more informations about Proftpd configuration
# look at : http://www.proftpd.org/
#

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName                      "ProFTPD"
#ServerType                     standalone
ServerType                      inetd
DefaultServer                   on

<Global>
DefaultRoot     ~               psacln
AllowOverwrite          on

# Prefer to put here directives allowed in server config and Global contexts.
# From http://www.proftpd.org/docs/howto/Vhost.html :
# "any configuration directives inside the "server config" section do not apply outside of the context."

DefaultTransferMode     binary
UseFtpUsers                     on

TimesGMT                        off
SetEnv TZ :/etc/localtime
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# Primary log file mest be outside of system logrotate province.
TransferLog /var/log/plesk/xferlog

# Enable PAM authentication
AuthPAM on
AuthPAMConfig proftpd
AuthGroupFile   /etc/group

IdentLookups off

<IfModule mod_tls.c>
        # common settings for all virtual hosts
        TLSEngine on
        TLSRequired off

        TLSLog /var/log/plesk/ftp_tls.log

        TLSRSACertificateFile /usr/local/psa/admin/conf/httpsd.pem
        TLSRSACertificateKeyFile /usr/local/psa/admin/conf/httpsd.pem

        # Authenticate clients that want to use FTP over TLS?
        TLSVerifyClient off

        # Allow SSL/TLS renegotiations when the client requests them, but
        # do not force the renegotations.  Some clients do not support
        # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
        # clients will close the data connection, or there will be a timeout
        # on an idle data connection.
        TLSRenegotiate none

        # As of ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections
        # that reuse the SSL session of the control connection, as a security measure.
        # Unfortunately, there are some clients (e.g. curl) which do not reuse SSL sessions.
        TLSOptions NoSessionReuseRequired
</IfModule>
</Global>

# Port 21 is the standard FTP port.
Port                            21
# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances                    30

#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.

#Include directive should point to place where FTP Virtual Hosts configurations
#preserved

ScoreboardFile /var/run/proftpd.scoreboard

#Change default group for new files and directories in vhosts dir to psacln

<Directory /var/www/vhosts>
        GroupOwner      psacln
</Directory>

UseReverseDNS off

Include /etc/proftpd.d/*.conf

Other configuration files in /etc/proftpd.d seem ok.

Do you have:
Code: 
[user@server]# cat /etc/ftpchroot
@psacln
?

I would also check if these problematic users belong to the group psacln only, and not to any additional groups.
 
Aaargh sorry, yes our /etc/proftpd.conf files are identical.

cat /etc/ftpchroot returns @psacln

And OMG the users belong to the wrong group. I thought I checked that damn...

Check:
Code: 
[user@server]# groups username
username : username

Fix:
Code: 
usermod -g psacln username

All is ok now, so simple :p

Thanks Ales!
 
Last edited:
You must log in or register to reply here.

Similar threads

Gh()st
Issue Remote Storage FTP(S) Issue
Replies
1
Views
842
paulrm
P
Hangover2
Forwarded to devs Disabled PHP "Hosting performance settings management" can be bypassed by using .user.ini or ini_set()
Replies
5
Views
943
Kaspar@Plesk
Kaspar@Plesk
P
Issue Restoring backup on a new server fails always
Replies
2
Views
509
Kaspar@Plesk
Kaspar@Plesk
R
Issue Plesk repair -all error
Replies
4
Views
2K
MARS_NETWORKS
M
U
Issue DRWeb logging to root console
Replies
5
Views
507
uniauto
U
Back
Top