ProFTPD + MySQL Authentifizierung + Privs

[/dev/hda (Gast)]

Hallo,

ich habe einen ProFTPD 1.2.9 auf einem RedHat Fedora (Yarrow1 - Vanilla Kernel 2.6.4 Eigenkompilieriung) am Laufen - oder auch nicht. Das Problem ist Folgendes: Die Benutzerauthentifizierung ueber PAM verlaeuft korrekt, ich habe beim Login alle Rechte, die auch der User auf der Maschine hat. Das Problem kommt bei der Benutzeridentifizierung mit Hilfe von MySQL. Sobald ich die PAM-Authentifizierung in der .conf explizit ausschließe wird zwar korrekt über die Daten aus der Tabelle angemeldet, jedoch wird irgendwie der Benutzer oder vielmehr seine UID nicht richtig uebernommmen - jedenfalls geht er bei Operationen im Homeverzeichnis des angemeldetetn Benutzers mit World-Rechten ran und hat so natuerlich keinerlei Schreibrechte.

Hier die proftpd.conf:

ServerName                      "ProFTPD xion.lx"
ServerType                      standalone
DefaultServer                   on

Port                            21

Umask                           022

MaxInstances                    30

User                            daniel
Group                           server

DefaultRoot ~

<Directory />
  AllowOverwrite                on
</Directory>

<Anonymous /srv/anonymousftp>
  AnonRequirePassword           off
  User                          aftp
  Group                         aftp

  UserAlias                     anonymous aftp

  MaxClients                    10


  DisplayLogin                  /prog/proftpd/var/login.msg
  DisplayFirstChdir             /prog/proftpd/var/firstchdir.msg

  <Limit WRITE>
  AllowAll
  </Limit>

</Anonymous>

AccessDenyMsg "xion: Zugang verweigert."
AccessGrantMsg "xion: Zugang gewaehrt fuer %u."
DisplayLogin /prog/proftpd/var/login.msg
PidFile /prog/proftpd/var/xion.pid
RequireValidShell off
RootLogin off

#AuthOrder mod_sql.c mod_sql_mysql.c
AuthPAM off

#SQL Sektion

SQLAuthTypes Crypt Plaintext Empty
SQLAuthenticate users*
SQLConnectInfo proftpd@localhost:3306 daniel qfcutaey
SQLUserInfo users userid passwd uid gid homedir shell
SQLNegativeCache off
SQLAuthenticate on
SQLLogFile /prog/proftpd/var/sql.log

ServerIdent on "Willkommen auf xion.lx FTP-Service"
SystemLog /prog/proftpd/var/xion.log


Der SQL-Log zeigt etwas Interessantes:

Mar 20 21:09:47 mod_sql/4.10[1453]: backend module 'mod_sql_mysql/4.04'
Mar 20 21:09:47 mod_sql/4.10[1453]: backend api    'mod_sql_api_v1'
Mar 20 21:09:47 mod_sql/4.10[1453]: >>> sql_getconf
Mar 20 21:09:47 mod_sql/4.10[1453]: entering    mysql cmd_defineconnection
Mar 20 21:09:47 mod_sql/4.10[1453]:  name: 'default'
Mar 20 21:09:47 mod_sql/4.10[1453]:  user: 'daniel'
Mar 20 21:09:47 mod_sql/4.10[1453]:  host: 'localhost'
Mar 20 21:09:47 mod_sql/4.10[1453]:    db: 'proftpd'
Mar 20 21:09:47 mod_sql/4.10[1453]:  port: '3306'
Mar 20 21:09:47 mod_sql/4.10[1453]:   ttl: '0'
Mar 20 21:09:47 mod_sql/4.10[1453]: exiting     mysql cmd_defineconnection
Mar 20 21:09:47 mod_sql/4.10[1453]: entering    mysql cmd_open
Mar 20 21:09:47 mod_sql/4.10[1453]: connection 'default' opened
Mar 20 21:09:47 mod_sql/4.10[1453]: connection 'default' count is now 1
Mar 20 21:09:47 mod_sql/4.10[1453]: exiting     mysql cmd_open
Mar 20 21:09:47 mod_sql/4.10[1453]: backend successfully connected.
Mar 20 21:09:47 mod_sql/4.10[1453]: mod_sql status     : on
Mar 20 21:09:47 mod_sql/4.10[1453]: negative_cache     : off
Mr 20 21:09:47 mod_sql/4.10[1453]: backend module 'mod_sql_mysql/4.04'
Mar 20 21:09:47 mod_sql/4.10[1453]: backend api    'mod_sql_api_v1'
Mar 20 21:09:47 mod_sql/4.10[1453]: >>> sql_getconf
Mar 20 21:09:47 mod_sql/4.10[1453]: entering    mysql cmd_defineconnection
Mar 20 21:09:47 mod_sql/4.10[1453]:  name: 'default'
Mar 20 21:09:47 mod_sql/4.10[1453]:  user: 'daniel'
Mar 20 21:09:47 mod_sql/4.10[1453]:  host: 'localhost'
Mar 20 21:09:47 mod_sql/4.10[1453]:    db: 'proftpd'
Mar 20 21:09:47 mod_sql/4.10[1453]:  port: '3306'
Mar 20 21:09:47 mod_sql/4.10[1453]:   ttl: '0'
Mar 20 21:09:47 mod_sql/4.10[1453]: exiting     mysql cmd_defineconnection
Mar 20 21:09:47 mod_sql/4.10[1453]: entering    mysql cmd_open
Mar 20 21:09:47 mod_sql/4.10[1453]: connection 'default' opened
Mar 20 21:09:47 mod_sql/4.10[1453]: connection 'default' count is now 1
Mar 20 21:09:47 mod_sql/4.10[1453]: exiting     mysql cmd_open
Mar 20 21:09:47 mod_sql/4.10[1453]: backend successfully connected.
Mar 20 21:09:47 mod_sql/4.10[1453]: mod_sql status     : on
Mar 20 21:09:47 mod_sql/4.10[1453]: negative_cache     : off
Mar 20 21:09:47 mod_sql/4.10[1453]: authenticate       : users*
Mar 20 21:09:47 mod_sql/4.10[1453]: usertable          : users
Mar 20 21:09:47 mod_sql/4.10[1453]: userid field       : userid
Mar 20 21:09:47 mod_sql/4.10[1453]: password field     : passwd
Mar 20 21:09:47 mod_sql/4.10[1453]: uid field          : uid
Mar 20 21:09:47 mod_sql/4.10[1453]: gid field          : gid
Mar 20 21:09:47 mod_sql/4.10[1453]: homedir field      : homedir
Mar 20 21:09:47 mod_sql/4.10[1453]: shell field        : shell
Mar 20 21:09:47 mod_sql/4.10[1453]: homedirondemand    : false
Mar 20 21:09:47 mod_sql/4.10[1453]: SQLMinUserUID      : 999
Mar 20 21:09:47 mod_sql/4.10[1453]: SQLMinUserGID      : 999
Mar 20 21:09:47 mod_sql/4.10[1453]: <<< sql_getconf
Mar 20 21:09:47 mod_sql/4.10[1453]: >>> cmd_getpwnam
Mar 20 21:09:47 mod_sql/4.10[1453]: entering    mysql cmd_escapestring
Mar 20 21:09:47 mod_sql/4.10[1453]: exiting     mysql cmd_escapestring
Mar 20 21:09:47 mod_sql/4.10[1453]: cache miss for user 'daniel'
Mar 20 21:09:47 mod_sql/4.10[1453]: : entering  mysql cmd_select
Mar 20 21:09:47 mod_sql/4.10[1453]: entering    mysql cmd_open
Mar 20 21:09:47 mod_sql/4.10[1453]: connection 'default' count is now 2
Mar 20 21:09:47 mod_sql/4.10[1453]: exiting     mysql cmd_open
@
ar 20 21:09:47 mod_sql/4.10[1453]: authenticate       : users*
Mar 20 21:09:47 mod_sql/4.10[1453]: usertable          : users
Mar 20 21:09:47 mod_sql/4.10[1453]: userid field       : userid
Mar 20 21:09:47 mod_sql/4.10[1453]: password field     : passwd
Mar 20 21:09:47 mod_sql/4.10[1453]: uid field          : uid
Mar 20 21:09:47 mod_sql/4.10[1453]: gid field          : gid
Mar 20 21:09:47 mod_sql/4.10[1453]: homedir field      : homedir
Mar 20 21:09:47 mod_sql/4.10[1453]: shell field        : shell
Mar 20 21:09:47 mod_sql/4.10[1453]: homedirondemand    : false
Mar 20 21:09:47 mod_sql/4.10[1453]: SQLMinUserUID      : 999
Mar 20 21:09:47 mod_sql/4.10[1453]: SQLMinUserGID      : 999
Mar 20 21:09:47 mod_sql/4.10[1453]: <<< sql_getconf
Mar 20 21:09:47 mod_sql/4.10[1453]: >>> cmd_getpwnam
Mar 20 21:09:47 mod_sql/4.10[1453]: entering    mysql cmd_escapestring
Mar 20 21:09:47 mod_sql/4.10[1453]: exiting     mysql cmd_escapestring
Mar 20 21:09:47 mod_sql/4.10[1453]: cache miss for user 'daniel'
Mar 20 21:09:47 mod_sql/4.10[1453]: : entering  mysql cmd_select
Mar 20 21:09:47 mod_sql/4.10[1453]: entering    mysql cmd_open
Mar 20 21:09:47 mod_sql/4.10[1453]: connection 'default' count is now 2
Mar 20 21:09:47 mod_sql/4.10[1453]: exiting     mysql cmd_open
Mar 20 21:09:47 mod_sql/4.10[1453]: query "SELECT userid, passwd, uid, gid, homedir, shell FROM users WHERE (userid='daniel') LIMIT 1"
Mar 20 21:09:47 mod_sql/4.10[1453]: entering    mysql cmd_close
Mar 20 21:09:47 mod_sql/4.10[1453]: connection 'default' count is now 1
Mar 20 21:09:47 mod_sql/4.10[1453]: exiting     mysql cmd_close
Mar 20 21:09:47 mod_sql/4.10[1453]: exiting     mysql cmd_select
Mar 20 21:09:47 mod_sql/4.10[1453]: cache miss for user 'daniel'
Mar 20 21:09:47 mod_sql/4.10[1453]: user 'daniel' cached
Mar 20 21:09:47 mod_sql/4.10[1453]: + pwd.pw_name  : daniel
Mar 20 21:09:47 mod_sql/4.10[1453]: + pwd.pw_uid   : 65533
Mar 20 21:09:47 mod_sql/4.10[1453]: + pwd.pw_gid   : 65533
Mar 20 21:09:47 mod_sql/4.10[1453]: + pwd.pw_dir   : /srv/
Mar 20 21:09:47 mod_sql/4.10[1453]: + pwd.pw_shell : /bin/false
Mar 20 21:09:47 mod_sql/4.10[1453]: <<< cmd_getpwnam
Mar 20 21:09:47 mod_sql/4.10[1453]: >>> cmd_auth
Mar 20 21:09:47 mod_sql/4.10[1453]: entering    mysql cmd_escapestring
Mar 20 21:09:47 mod_sql/4.10[1453]: exiting     mysql cmd_escapestring
Mar 20 21:09:47 mod_sql/4.10[1453]: cache hit for user 'daniel'
Mar 20 21:09:47 mod_sql/4.10[1453]: >>> cmd_check
Mar 20 21:09:47 mod_sql/4.10[1453]: checking auth_type Crypt
Mar 20 21:09:47 mod_sql/4.10[1453]: checking auth_type Plaintext
Mar 20 21:09:47 mod_sql/4.10[1453]: 'Plaintext' auth handler reports success
Mar 20 21:09:47 mod_sql/4.10[1453]: cache hit for user 'daniel'
Mar 20 21:09:47 mod_sql/4.10[1453]: <<< cmd_check
Mar 20 21:09:47 mod_sql/4.10[1453]: <<< cmd_auth
Mar 20 21:09:47 mod_sql/4.10[1453]: >>> cmd_getpwnam
Mar 20 21:09:47 mod_sql/4.10[1453]: cache hit for user 'daniel'
Mar 20 21:09:47 mod_sql/4.10[1453]: <<< cmd_getpwnam
Mar 20 21:09:48 mod_sql/4.10[1453]: >>> cmd_uid2name
Mar 20 21:09:48 mod_sql/4.10[1453]: cache miss for uid '501'
Mar 20 21:09:48 mod_sql/4.10[1453]: : entering  mysql cmd_select
Mar 20 21:09:48 mod_sql/4.10[1453]: entering    mysql cmd_open
Mar 20 21:09:48 mod_sql/4.10[1453]: connection 'default' count is now 2
Mar 20 21:09:48 mod_sql/4.10[1453]: exiting     mysql cmd_open
Mar 20 21:09:48 mod_sql/4.10[1453]: query "SELECT userid, passwd, uid, gid, homedir, shell FROM users WHERE (uid = 501) LIMIT 1"
Mar 20 21:09:48 mod_sql/4.10[1453]: entering    mysql cmd_close
Mar 20 21:09:48 mod_sql/4.10[1453]: connection 'default' count is now 1
Mar 20 21:09:48 mod_sql/4.10[1453]: exiting     mysql cmd_close
Mar 20 21:09:48 mod_sql/4.10[1453]: exiting     mysql cmd_select
Mar 20 21:09:48 mod_sql/4.10[1453]: cache hit for user 'daniel'
Mar 20 21:09:48 mod_sql/4.10[1453]: <<< cmd_uid2name
Mar 20 21:09:48 mod_sql/4.10[1453]: >>> cmd_uid2name
Mar 20 21:09:48 mod_sql/4.10[1453]: cache miss for uid '501'
Mar 20 21:09:48 mod_sql/4.10[1453]: : entering  mysql cmd_select
Mar 20 21:09:48 mod_sql/4.10[1453]: entering    mysql cmd_open
Mar 20 21:09:48 mod_sql/4.10[1453]: connection 'default' count is now 2
Mar 20 21:09:48 mod_sql/4.10[1453]: exiting     mysql cmd_open
Mar 20 21:09:48 mod_sql/4.10[1453]: query "SELECT userid, passwd, uid, gid, homedir, shell FROM users WHERE (uid = 501) LIMIT 1"
Mar 20 21:09:48 mod_sql/4.10[1453]: entering    mysql cmd_close
Mar 20 21:09:48 mod_sql/4.10[1453]: connection 'default' count is now 1
Mar 20 21:09:48 mod_sql/4.10[1453]: exiting     mysql cmd_close
Mar 20 21:09:48 mod_sql/4.10[1453]: exiting     mysql cmd_select
Mar 20 21:09:48 mod_sql/4.10[1453]: cache hit for user 'daniel'
Mar 20 21:09:48 mod_sql/4.10[1453]: <<< cmd_uid2name
Mar 20 21:09:48 mod_sql/4.10[1453]: >>> cmd_uid2name
Mar 20 21:09:48 mod_sql/4.10[1453]: cache miss for uid '503'
Mar 20 21:09:48 mod_sql/4.10[1453]: : entering  mysql cmd_select
Mar 20 21:09:48 mod_sql/4.10[1453]: entering    mysql cmd_open
Mar 20 21:09:48 mod_sql/4.10[1453]: connection 'default' count is now 2
Mar 20 21:09:48 mod_sql/4.10[1453]: exiting     mysql cmd_open
Mar 20 21:09:48 mod_sql/4.10[1453]: query "SELECT userid, passwd, uid, gid, homedir, shell FROM users WHERE (uid = 503) LIMIT 1"
Mar 20 21:09:48 mod_sql/4.10[1453]: entering    mysql cmd_close
Mar 20 21:09:48 mod_sql/4.10[1453]: connection 'default' count is now 1
Mar 20 21:09:48 mod_sql/4.10[1453]: exiting     mysql cmd_close
Mar 20 21:09:48 mod_sql/4.10[1453]: exiting     mysql cmd_select
Mar 20 21:09:48 mod_sql/4.10[1453]: cache miss for user 'aftp'
Mar 20 21:09:48 mod_sql/4.10[1453]: user 'aftp' cached
Mar 20 21:09:48 mod_sql/4.10[1453]: + pwd.pw_name  : aftp
Mar 20 21:09:48 mod_sql/4.10[1453]: + pwd.pw_uid   : 65533
Mar 20 21:09:48 mod_sql/4.10[1453]: + pwd.pw_gid   : 65533
Mar 20 21:09:48 mod_sql/4.10[1453]: + pwd.pw_dir   : /srv/anonymousftp
Mar 20 21:09:48 mod_sql/4.10[1453]: + pwd.pw_shell : /bin/bash
Mar 20 21:09:48 mod_sql/4.10[1453]: <<< cmd_uid2name
Mar 20 21:09:48 mod_sql/4.10[1453]: >>> cmd_uid2name
Mar 20 21:09:48 mod_sql/4.10[1453]: cache miss for uid '501'
Mar 20 21:09:48 mod_sql/4.10[1453]: : entering  mysql cmd_select
Mar 20 21:09:48 mod_sql/4.10[1453]: entering    mysql cmd_open
Mar 20 21:09:48 mod_sql/4.10[1453]: connection 'default' count is now 2
Mar 20 21:09:48 mod_sql/4.10[1453]: exiting     mysql cmd_open
Mar 20 21:09:48 mod_sql/4.10[1453]: query "SELECT userid, passwd, uid, gid, homedir, shell FROM users WHERE (uid = 501) LIMIT 1"
Mar 20 21:09:48 mod_sql/4.10[1453]: entering    mysql cmd_close
Mar 20 21:09:48 mod_sql/4.10[1453]: connection 'default' count is now 1
Mar 20 21:09:48 mod_sql/4.10[1453]: exiting     mysql cmd_close
Mar 20 21:09:48 mod_sql/4.10[1453]: exiting     mysql cmd_select
Mar 20 21:09:48 mod_sql/4.10[1453]: cache hit for user 'daniel'
Mar 20 21:09:48 mod_sql/4.10[1453]: <<< cmd_uid2name


Wie man sehen kann kommt es irgendwie zu einem Fehler mit der UID (cache miss for UID 501) - er nimmt irgendwie
falsche Werte an:
Mar 20 21:09:47 mod_sql/4.10[1453]: + pwd.pw_name  : daniel
Mar 20 21:09:47 mod_sql/4.10[1453]: + pwd.pw_uid   : 65533
Mar 20 21:09:47 mod_sql/4.10[1453]: + pwd.pw_gid   : 65533
Mar 20 21:09:47 mod_sql/4.10[1453]: + pwd.pw_dir   : /srv/
Mar 20 21:09:47 mod_sql/4.10[1453]: + pwd.pw_shell : /bin/false

daniel ist der Benutzer, mit dem ich mich immer versuche anzumelden - eine einzige Anmeldung unter diesem Namen erzeugt diesen Teil der SQLLogFile. Auch den Benutzer aftp musste ich erstellen, damit der anonyme Login funktioniert - dort zeigt sich dasselbe Phaenomen. Die user-Tabelle sieht wie folgt aus:

Code:

mysql> SELECT * FROM users;
+--------+-------------+------+------+-------------------+------------+
| userid | passwd      | uid  | gid  | homedir           | shell      |
+--------+-------------+------+------+-------------------+------------+
| daniel | ftp.xion.lx |  501 |  100 | /srv/             | /bin/false |
| aftp   |             |  503 |  505 | /srv/anonymousftp | /bin/bash  |
+--------+-------------+------+------+-------------------+------------+
2 rows in set (0.00 sec)

Dazu die korresponierenden Zeilen aus der /etc/passwd:

daniel:x:501:100::/home/daniel:/bin/bash
aftp:x:503:505::/srv/anonymousftp/:/bin/false

Wie man sieht stimmen die Benutzerdaten absolut überein, und das Verzeichnis /srv/ gehoert auch daniel im System - dasselbe bei anonymous und aftp, jemand ne Idee?

[stonki]

Hi,

zunächst einmal: SO MUSS EINE FEHLERBESCHREIBUNG AUSSEHEN ! :gott)  Und nicht diese "StammelEnglischeBegriffeWillAberCoolSein" Problembeschreibungen...

Mar 20 21:09:47 mod_sql/4.10[1453]: + pwd.pw_uid   : 65533
Mar 20 21:09:47 mod_sql/4.10[1453]: + pwd.pw_gid   : 65533

Code:

mysql> SELECT * FROM users;
+--------+-------------+------+------+-------------------+------------+
| userid | passwd      | uid  | gid  | homedir           | shell      |
+--------+-------------+------+------+-------------------+------------+
| daniel | ftp.xion.lx |  501 |  100 | /srv/             | /bin/false |
+--------+-------------+------+------+-------------------+------------+

Naja dran.. Sehr nahe dran...
Schauen wir uns noch mal die Direktiven Liste an:

http://www.proftpd.de/index.php?id=28&language=&directive_name=&module_id=13#172
daraus folgend:
http://www.proftpd.de/index.php?id=28&language=&directive_name=&module_id=13#149

Da Deine gewählten Werte (501 und 100) unterhalb der Minimalen ID waren, wurde der ProFTPD Default Wert genommen. Also in dem Default Falle: 65533. Also setze diese Werte in Deiner Config und alles sollte klappen.

Meine alte Beispiel Conf: http://www.proftpd.org/docs/configs/mysql_simple.conf

cu
stonki

[/dev/hda (Gast)]

Oar danke! Is zwar logisch aber darauf waere ich bestimmt ne ganze Zeit lang nicht gekommen....