# ftp can't change root in Jag



## ericmurphy (Aug 27, 2002)

I installed Jaguar last weekend, and everything seems to work okay, except for ftp. When I log in as my normal user account (which is not an admin account), I get the message "550 Can't change root. Login failed."

I use ftpchroot to restrict access to home directories. This happens to accounts that are listed in ftpchroot, unless they're also administrative accounts (which evidently aren't restricted to their home directory - I thought they were before 10.2). Any ideas what's going on?


----------



## Fahrvergnuugen (Aug 27, 2002)

It sounds like the users dont have read access to the directories that they are chrooted to. Just a guess.


----------



## ericmurphy (Aug 27, 2002)

> _Originally posted by Fahrvergnuugen _
> *It sounds like the users dont have read access to the directories that they are chrooted to. Just a guess. *



Nope; these are their home directories. At least, they should be. How do you set where ftpchroot makes the root? Doesn't it default to whatever the account's home directory is?


----------



## ericmurphy (Aug 27, 2002)

Actually, I was wrong about one thing. Anyone who's listed in ftpchroot can't log in properly. I thought the admin accounts were exempt from this problem, but that's just because I changed the names of the admin accounts and didn't update ftpchroot.

So, basically, if you're listed in ftpchroot, you can't log in via ftp under Jaguar. Has anyone else noticed this problem?

It looks like Apple is using a different ftp server under Jaguar than under earlier versions of OS X. Maybe this is the problem?


----------



## wyvern (Aug 27, 2002)

Possibly this has something to do with the fact that xinitd is now used instead of initd? And yes, I have the same problem.


----------



## ericmurphy (Aug 27, 2002)

I did a Google search that didn't show up anything. The only Apple Knowledgbase article on ftpchroot concerned OS X server. Either Apple isn't aware of the issue, or figures hardly anyone restricts ftp access this way and hasn't bother to fix the problem.


----------



## Fahrvergnuugen (Aug 27, 2002)

I'm not sure, I use pureftpd [ www.pureftpd.org ], so I changed the xident ftp file to point to the pureftpd binary. Everything works great. pureftpd was really simple to setup too [and it allows system independent users, and has all kinds of cool features]. Maybe you guys should just try that?

Let me know if you need help getting it setup.

[edit]bad link[/edit]


----------



## wyvern (Aug 28, 2002)

The correct link is this.
Thanks for the tip, I'll check it out.


----------



## legacyb4 (Sep 7, 2002)

I can report the same problem with using the ftpchroot file...

Hoping for a fix for this; in the meantime, I'm going through and having to clean up all miscellaneous folder/file access permissions...

Cheers.



> _Originally posted by ericmurphy _
> *I installed Jaguar last weekend, and everything seems to work okay, except for ftp. When I log in as my normal user account (which is not an admin account), I get the message "550 Can't change root. Login failed."
> 
> I use ftpchroot to restrict access to home directories. This happens to accounts that are listed in ftpchroot, unless they're also administrative accounts (which evidently aren't restricted to their home directory - I thought they were before 10.2). Any ideas what's going on? *


----------



## theed (Sep 7, 2002)

Yeah, ftp is all sorts of different now.  It's using a whole new daemon.  The specs on it look great, it'll jut take some growing into I guess.

Bandwidth throttling is the feature that gets me all excited.  Can I do it per user?  Ohh ohh ohh I need to play now.


----------



## chocklehot (Sep 7, 2002)

Well.. Have u tryed to go see in Netmanager In Utility.. and chnage root pass????????


----------



## theed (Sep 7, 2002)

chroot changes the root of the filesystem for that ftp user.  Like this:

I want to allow anonymous ftp to my machine, but I want to keep them in their own little folder, and not allowed in my filesystem anywhere.

I'm not sure how to do that right now with 10.2


----------



## Buur (Oct 1, 2002)

> _Originally posted by ericmurphy _
> *So, basically, if you're listed in ftpchroot, you can't log in via ftp under Jaguar. Has anyone else noticed this problem?*


I had the same problem with Proftpd, so it's definitely not a problem with Apple's ftpd. Couldn't figure out what was going wrong until I ran into your message. The mentioning of ftpchroot rang a bell. Users in /etc/ftpchroot must have a valid shell! As mentioned in /etc/shells. Never thought 10.2 installed a new version of that... So, if you're like me, all ftp users have no shell actually. All I had to do was adding /dev/null to /etc/shells... Damn, it works again.  
This is how it's done (with the example of how mine looks now):

%sudo pico /etc/shells

# List of acceptable shells for chpass(1).
# Ftpd will not allow users to connect who are not using
# one of these shells.

/bin/bash
/bin/csh
/bin/sh
/bin/tcsh
/bin/zsh
/sbin/nologin
/dev/null

I added the last 2.

Buur


----------



## Buur (Oct 1, 2002)

> _Originally posted by theed _
> *chroot changes the root of the filesystem for that ftp user.  Like this:
> 
> I want to allow anonymous ftp to my machine, but I want to keep them in their own little folder, and not allowed in my filesystem anywhere.
> ...


Just the same as ever before: add all the users you want to have ftp access and who you want to be chrooted to /etc/ftpchroot (in case of a pure anon ftp server just add anonymous and ftp):

%sudo pico /etc/ftpchroot

# list of users chrooted for ftp access.
# read by ftpd(8).
ftp
anonymous

Control-O, return, Control-X and it's done.
Remember that you still have to add those users to your Netinfo Manager (in users) if you didn't do that already. Set the shell to /dev/null also in there. Remember my earlier msg above about ftp users needing a valid shell (add /dev/null to /etc/shells)

Buur


----------



## legacyb4 (Nov 5, 2002)

So what you are saying is that a user listed in ftpchroot (let's call him Joe) must have a shell entry in the Netinfo database that matches one of the entries in /etc/shells?

For example:

Joe

[Netinfo]
shell - /bin/tcsh

[/etc/ftpchroot]
joe

[/etc/shells]

# List of acceptable shells for chpass(1).
# Ftpd will not allow users to connect who are not using
# one of these shells.

/bin/bash
/bin/csh
/bin/sh
/bin/tcsh
/bin/zsh

# Added

/sbin/nologin
/dev/null

-

If I change his shell entry to /dev/null, that kills Joe's ability to use SSH *and* doesn't seem to fix the ftpchroot problem over here...


Sticking with PureFTPd for now...

Cheers.






> _Originally posted by Buur _
> *Just the same as ever before: add all the users you want to have ftp access and who you want to be chrooted to /etc/ftpchroot (in case of a pure anon ftp server just add anonymous and ftp):
> 
> %sudo pico /etc/ftpchroot
> ...


----------



## kuroyume (Nov 12, 2002)

> _Originally posted by Buur _
> *I had the same problem with Proftpd, so it's definitely not a problem with Apple's ftpd. Couldn't figure out what was going wrong until I ran into your message. The mentioning of ftpchroot rang a bell. Users in /etc/ftpchroot must have a valid shell! As mentioned in /etc/shells. Never thought 10.2 installed a new version of that... So, if you're like me, all ftp users have no shell actually. All I had to do was adding /dev/null to /etc/shells... Damn, it works again.
> This is how it's done (with the example of how mine looks now):
> 
> ...



Added my test user to the ftpchroot (which always responds with a "Can't change root" error when ftp-ing), added /dev/null and /sbin/nologin to etc/shells and set the user's shell to /dev/null in NetInfo Manager.

This did not change anything.  Still getting the same error.  What else needs to be done?

Robert Templeton


----------



## gatorparrots (Nov 12, 2002)

*sigh.*
Please look at one of the other threads on this topic. FTP chroot is badly broken in Jaguar, as Apple switched ftp daemons from ftpd to lukemftpd. Sadly, their documentation does not reflect this change.

If you need chroot functionality, I suggest switching ftp daemons altogether (as I and others have done). Try proftpd or pureftpd. Both have good feature sets and are easy to install in OS X.


----------



## kuroyume (Nov 12, 2002)

> _Originally posted by G. Peretz _
> **sigh.*
> Please look at one of the other threads on this topic. FTP chroot is badly broken in Jaguar, as Apple switched ftp daemons from ftpd to lukemftpd. Sadly, their documentation does not reflect this change.
> 
> If you need chroot functionality, I suggest switching ftp daemons altogether (as I and others have done). Try proftpd or pureftpd. Both have good feature sets and are easy to install in OS X. *



I noticed.  Why did Apple decide to screw us by doing such a stupid thing?  I mean, I checked freshmeat (where lukemftp resides) and he hasn't even logged in there since 8/01.  The last update was 5/01.  What exactly is Apple trying to tell us?

Was hoping not to have to delve deeply into config files, learn the full ins and outs of every nook and cranny of running a simple FTP server (folder-restricted uploads only), get the ftpd running properly without turning my Mac into a big doorstop, etc.

Well, where can I get info on installing, configuring, and running one of these two choices on MacOS 10.2.  The less headaches, the better.

Robert Templeton


----------



## jwalk76 (Nov 13, 2002)

---> What exactly is Apple trying to tell us? 

maybe they're subtly trying to tell you to use ssh and sftp, because these two services are much more secure and provide you with the same functionality as ftp, only a little slower.  i cringe at the thought of using ftp  with an administrative account as previous posts have mentioned...


----------



## gatorparrots (Nov 13, 2002)

proftpd is easily installed with fink.

If you prefer to do it yourself, there are directions here:
http://projectomega.online.fr//cont...=content&tf=O&np=&p=1&PO_php=tuts_howtos3.php

I personally use pureftpd, as I liked its feature set and ease of use, installation, and configuration. It's a pretty basic software compilation in the command line.


----------



## MAbans (Nov 24, 2002)

My biggest problem is, while I do have a basic understanding in unix, at least I like to think so. I like it when it's in laimen's terms. Some of the tutorials are jsut too complex for the entry-mid experienced user to comprehend. Can someone please perhaps right up some good docs for this problems. Like how to install pure FTP or ProFTP for dummies kinda deal?


----------



## gatorparrots (Nov 25, 2002)

Get Fink Commander from versiontracker.com if you want to install ProFTPd the GUI way.

It would be your easiest option.


----------

