ftp can't change root in Jag

ericmurphy

Registered
I installed Jaguar last weekend, and everything seems to work okay, except for ftp. When I log in as my normal user account (which is not an admin account), I get the message "550 Can't change root. Login failed."

I use ftpchroot to restrict access to home directories. This happens to accounts that are listed in ftpchroot, unless they're also administrative accounts (which evidently aren't restricted to their home directory - I thought they were before 10.2). Any ideas what's going on?
 
Originally posted by Fahrvergnuugen
It sounds like the users dont have read access to the directories that they are chrooted to. Just a guess.

Nope; these are their home directories. At least, they should be. How do you set where ftpchroot makes the root? Doesn't it default to whatever the account's home directory is?
 
Actually, I was wrong about one thing. Anyone who's listed in ftpchroot can't log in properly. I thought the admin accounts were exempt from this problem, but that's just because I changed the names of the admin accounts and didn't update ftpchroot.

So, basically, if you're listed in ftpchroot, you can't log in via ftp under Jaguar. Has anyone else noticed this problem?

It looks like Apple is using a different ftp server under Jaguar than under earlier versions of OS X. Maybe this is the problem?
 
Possibly this has something to do with the fact that xinitd is now used instead of initd? And yes, I have the same problem.
 
I did a Google search that didn't show up anything. The only Apple Knowledgbase article on ftpchroot concerned OS X server. Either Apple isn't aware of the issue, or figures hardly anyone restricts ftp access this way and hasn't bother to fix the problem.
 
I'm not sure, I use pureftpd [ www.pureftpd.org ], so I changed the xident ftp file to point to the pureftpd binary. Everything works great. pureftpd was really simple to setup too [and it allows system independent users, and has all kinds of cool features]. Maybe you guys should just try that?

Let me know if you need help getting it setup.

[edit]bad link[/edit]
 
I can report the same problem with using the ftpchroot file...

Hoping for a fix for this; in the meantime, I'm going through and having to clean up all miscellaneous folder/file access permissions...

Cheers.

Originally posted by ericmurphy
I installed Jaguar last weekend, and everything seems to work okay, except for ftp. When I log in as my normal user account (which is not an admin account), I get the message "550 Can't change root. Login failed."

I use ftpchroot to restrict access to home directories. This happens to accounts that are listed in ftpchroot, unless they're also administrative accounts (which evidently aren't restricted to their home directory - I thought they were before 10.2). Any ideas what's going on?
 
Yeah, ftp is all sorts of different now. It's using a whole new daemon. The specs on it look great, it'll jut take some growing into I guess.

Bandwidth throttling is the feature that gets me all excited. Can I do it per user? Ohh ohh ohh I need to play now.
 
chroot changes the root of the filesystem for that ftp user. Like this:

I want to allow anonymous ftp to my machine, but I want to keep them in their own little folder, and not allowed in my filesystem anywhere.

I'm not sure how to do that right now with 10.2
 
Originally posted by ericmurphy
So, basically, if you're listed in ftpchroot, you can't log in via ftp under Jaguar. Has anyone else noticed this problem?
I had the same problem with Proftpd, so it's definitely not a problem with Apple's ftpd. Couldn't figure out what was going wrong until I ran into your message. The mentioning of ftpchroot rang a bell. Users in /etc/ftpchroot must have a valid shell! As mentioned in /etc/shells. Never thought 10.2 installed a new version of that... So, if you're like me, all ftp users have no shell actually. All I had to do was adding /dev/null to /etc/shells... Damn, it works again. ;)
This is how it's done (with the example of how mine looks now):

%sudo pico /etc/shells

# List of acceptable shells for chpass(1).
# Ftpd will not allow users to connect who are not using
# one of these shells.

/bin/bash
/bin/csh
/bin/sh
/bin/tcsh
/bin/zsh
/sbin/nologin
/dev/null

I added the last 2.

Buur
 
Originally posted by theed
chroot changes the root of the filesystem for that ftp user. Like this:

I want to allow anonymous ftp to my machine, but I want to keep them in their own little folder, and not allowed in my filesystem anywhere.

I'm not sure how to do that right now with 10.2
Just the same as ever before: add all the users you want to have ftp access and who you want to be chrooted to /etc/ftpchroot (in case of a pure anon ftp server just add anonymous and ftp):

%sudo pico /etc/ftpchroot

# list of users chrooted for ftp access.
# read by ftpd(8).
ftp
anonymous

Control-O, return, Control-X and it's done.
Remember that you still have to add those users to your Netinfo Manager (in users) if you didn't do that already. Set the shell to /dev/null also in there. Remember my earlier msg above about ftp users needing a valid shell (add /dev/null to /etc/shells)

Buur
 
So what you are saying is that a user listed in ftpchroot (let's call him Joe) must have a shell entry in the Netinfo database that matches one of the entries in /etc/shells?

For example:

Joe

[Netinfo]
shell - /bin/tcsh

[/etc/ftpchroot]
joe

[/etc/shells]

# List of acceptable shells for chpass(1).
# Ftpd will not allow users to connect who are not using
# one of these shells.

/bin/bash
/bin/csh
/bin/sh
/bin/tcsh
/bin/zsh

# Added

/sbin/nologin
/dev/null

-

If I change his shell entry to /dev/null, that kills Joe's ability to use SSH *and* doesn't seem to fix the ftpchroot problem over here...


Sticking with PureFTPd for now...

Cheers.




Originally posted by Buur
Just the same as ever before: add all the users you want to have ftp access and who you want to be chrooted to /etc/ftpchroot (in case of a pure anon ftp server just add anonymous and ftp):

%sudo pico /etc/ftpchroot

# list of users chrooted for ftp access.
# read by ftpd(8).
ftp
anonymous

Control-O, return, Control-X and it's done.
Remember that you still have to add those users to your Netinfo Manager (in users) if you didn't do that already. Set the shell to /dev/null also in there. Remember my earlier msg above about ftp users needing a valid shell (add /dev/null to /etc/shells)

Buur
 
Originally posted by Buur
I had the same problem with Proftpd, so it's definitely not a problem with Apple's ftpd. Couldn't figure out what was going wrong until I ran into your message. The mentioning of ftpchroot rang a bell. Users in /etc/ftpchroot must have a valid shell! As mentioned in /etc/shells. Never thought 10.2 installed a new version of that... So, if you're like me, all ftp users have no shell actually. All I had to do was adding /dev/null to /etc/shells... Damn, it works again. ;)
This is how it's done (with the example of how mine looks now):

%sudo pico /etc/shells

# List of acceptable shells for chpass(1).
# Ftpd will not allow users to connect who are not using
# one of these shells.

/bin/bash
/bin/csh
/bin/sh
/bin/tcsh
/bin/zsh
/sbin/nologin
/dev/null

I added the last 2.

Buur

Added my test user to the ftpchroot (which always responds with a "Can't change root" error when ftp-ing), added /dev/null and /sbin/nologin to etc/shells and set the user's shell to /dev/null in NetInfo Manager.

This did not change anything. Still getting the same error. What else needs to be done?

Robert Templeton
 
*sigh.*
Please look at one of the other threads on this topic. FTP chroot is badly broken in Jaguar, as Apple switched ftp daemons from ftpd to lukemftpd. Sadly, their documentation does not reflect this change.

If you need chroot functionality, I suggest switching ftp daemons altogether (as I and others have done). Try proftpd or pureftpd. Both have good feature sets and are easy to install in OS X.
 
Originally posted by G. Peretz
*sigh.*
Please look at one of the other threads on this topic. FTP chroot is badly broken in Jaguar, as Apple switched ftp daemons from ftpd to lukemftpd. Sadly, their documentation does not reflect this change.

If you need chroot functionality, I suggest switching ftp daemons altogether (as I and others have done). Try proftpd or pureftpd. Both have good feature sets and are easy to install in OS X.

I noticed. Why did Apple decide to screw us by doing such a stupid thing? I mean, I checked freshmeat (where lukemftp resides) and he hasn't even logged in there since 8/01. The last update was 5/01. What exactly is Apple trying to tell us?

Was hoping not to have to delve deeply into config files, learn the full ins and outs of every nook and cranny of running a simple FTP server (folder-restricted uploads only), get the ftpd running properly without turning my Mac into a big doorstop, etc.

Well, where can I get info on installing, configuring, and running one of these two choices on MacOS 10.2. The less headaches, the better.

Robert Templeton
 
---> What exactly is Apple trying to tell us?

maybe they're subtly trying to tell you to use ssh and sftp, because these two services are much more secure and provide you with the same functionality as ftp, only a little slower. i cringe at the thought of using ftp with an administrative account as previous posts have mentioned...
 
Back
Top