Permissions Issue

I’m running Virtualmin 2.6.10 along with proftpd 1.2.10 and I am experience an issue where certain files in the user’s home-directory are inaccessible. The permissions on the directory impose no limiations so I’m left to think that either webmin, virtualmin or perhaps some other program is moderating file-access in some capacity…? Has anyone any advice?

The directories not showing up are
/home/public_html
/home/logs
/home/cgi-bin

Directories that do show up
/home/.usermin
/home/homes

Thanks!

I have since fixed the problem. Apparently webmin had injected an ExtendedLog directive inbetween a ruleset causing some issues apparently. Repositioning it in the config file, followed by a healthy service restart seemed to make everything work.

Hey Tony,

Thanks for the update and the good sleuthing out of the problem. I’ll file a bug about this issue, and Jamie and I will do a bit of work to be sure we don’t break configuration file order in the future.

Tony - could yoi post your proftpd.conf file with the incorrect line included? I would like to see exactly what Webmin did wrong …

Inserting it into the <Global> section is a bad thing…
Did you use the ProFTPd module to add any ‘Custom logfiles’ that may have triggered this?

Jamie Cameron,

Yeah, I added a custom logfile via the proftpd module. Strangely enough though, while I thought I had localized the problem its now manifesting on a new server of mine. The config file appears no different from the one I posted above, but still there are certain directories whose accessibility is denied due to "permissions".

Would you say the problem is specific to proftpd, or do you suppose apache or some other program is interferring?

Thanks,
Tony

Hey Tony,

Apache cannot have any impact on ProFTPd access or permissions. It has to be an actual permissions issue (i.e. ownership or insufficient privileges), or an issue with ProFTPd configuration. I can’t tell from the information we have so far.

What appears in the log when this problem shows up?

Am I crazy? It doesn’t look like a permission issue…

total 72
drwxr-xr-x 6 relic skullbuggery 4096 Apr 24 15:02 .
drwxr-xr-x 3 root root 4096 Apr 24 15:02 …
-rw-r–r-- 1 relic skullbuggery 24 Apr 24 15:02 .bash_logout
-rw-r–r-- 1 relic skullbuggery 191 Apr 24 15:02 .bash_profile
-rw-r–r-- 1 relic skullbuggery 124 Apr 24 15:02 .bashrc
drwxr-xr-x 2 relic skullbuggery 4096 Apr 24 15:02 cgi-bin
drwxr-xr-x 2 relic skullbuggery 4096 Apr 24 15:02 homes
drwxr-xr-x 2 relic skullbuggery 4096 Apr 24 15:02 logs
drwxr-xr-x 3 relic skullbuggery 4096 Apr 24 15:02 public_html

I wish this forum allowed a person to edit their posts… I deliberately altered my prior post for privacy reasons, but I realize now that the information is echoed in the audit.log.

So here’s the authentic directory listing…

total 72
drwxr-xr-x 6 ciphex epantheon 4096 Apr 24 15:02 .
drwxr-xr-x 3 root root 4096 Apr 24 15:02 …
-rw-r–r-- 1 ciphex epantheon 24 Apr 24 15:02 .bash_logout
-rw-r–r-- 1 ciphex epantheon 191 Apr 24 15:02 .bash_profile
-rw-r–r-- 1 ciphex epantheon 124 Apr 24 15:02 .bashrc
drwxr-xr-x 2 ciphex epantheon 4096 Apr 24 15:02 cgi-bin
drwxr-xr-x 2 ciphex epantheon 4096 Apr 24 15:02 homes
drwxr-xr-x 2 ciphex epantheon 4096 Apr 24 15:02 logs
drwxr-xr-x 3 ciphex epantheon 4096 Apr 24 15:02 public_html

Hey Tony,

SELinux should not be enabled on any currently supported system–even the targeted policy on Fedora Core 4 has some issues that prevent it from being useful on a virtual hosting system. If it has been re-enabled on your system after installation, then you will run into a number of permissions problems–not just with ProFTPd.

You can check the state of selinux with the sestatus command.

Hey Joe Cooper,

You had it on the button. I disabled SELinux, and it all runs beautifully now. What was it about the audit.log that indicated SELinux was interferring?

Tony

Hey Tony,

It was a lucky guess. The audit log looks the same, as far as I know, whether the system is in permissive mode (which will work fine) or enforcing mode (which won’t). Since you were complaining about mysterious permissions issues, I just figured it was on.

I’ve had enough run-ins with mysterious permissions issues and SELinux to suspect it very soon in any permissions conversation.

One of these days there will be a guide to the gotchas and fixes for virtual hosting with SELinux enabled…but it hasn’t come into existence yet. If it still doesn’t exist when the EA period comes to an end, and I have some more free time, I’ll tackle it myself. (And I might even try to figure out a way to make it an option during install, though SELinux is currently not packageable in any sane way.)

Thought I’d post my proftpd.conf


ServerName "ProFTPD server"
ServerIdent on "FTP Server ready."
ServerAdmin root@localhost
ServerType standalone
#ServerType inetd
DefaultServer on
MaxInstances 20
User nobody
Group nobody
ScoreboardFile /var/run/proftpd.score

LogFormat default "%h %l %u %t "%r" %s %b"
LogFormat auth "%v [[%P]] %h %t "%r" %s"

#TLSEngine on
#TLSRequired on
#TLSRSACertificateFile /usr/share/ssl/certs/proftpd.pem
#TLSRSACertificateKeyFile /usr/share/ssl/certs/proftpd.pem
#TLSCipherSuite ALL:!ADH:!DES
#TLSOptions NoCertRequest
#TLSVerifyClient off
#TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
#TLSLog /var/log/proftpd/tls.log

----------------------EOF----------------------

Here’s my proftpd.conf in its entirity:

So the ExtendedLog line was interjected in the[GLOBAL></GLOBAL> ruleset just a few lines above it. I repositioned it a few lines down, restarted the service and everything was suddenly funtional.

------BEGIN PROFTPD.CONF------
ServerName "ProFTPD server"
ServerIdent on "FTP Server ready."
ServerAdmin root@localhost
ServerType standalone
#ServerType inetd
DefaultServer on
AccessGrantMsg "User %u logged in."
#DisplayConnect /etc/ftpissue
#DisplayLogin /etc/ftpmotd
#DisplayGoAway /etc/ftpgoaway
DeferWelcome off
DefaultRoot ~ !adm
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c
IdentLookups off
UseReverseDNS off
Port 21
Umask 022
ListOptions "-a"
#MultilineRFC2228 off
#RootLogin off
#LoginPasswordPrompt on
#MaxLoginAttempts 3
#MaxClientsPerHost none
#AllowForeignAddress off # For FXP
AllowRetrieveRestart on
AllowStoreRestart on
MaxInstances 20
User nobody
Group nobody
ScoreboardFile /var/run/proftpd.score

Normally, we want users to do a few things.

<Global>
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
</Global>

Define the log formats

LogFormat default "%h %l %u %t "%r" %s %b"
LogFormat auth "%v [[%P]] %h %t "%r" %s"
ExtendedLog /var/log/proftpd/access_log

#TLSEngine on
#TLSRequired on
#TLSRSACertificateFile /usr/share/ssl/certs/proftpd.pem
#TLSRSACertificateKeyFile /usr/share/ssl/certs/proftpd.pem
#TLSCipherSuite ALL:!ADH:!DES
#TLSOptions NoCertRequest
#TLSVerifyClient off
##TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
#TLSLog /var/log/proftpd/tls.log

------ EOF ------

audit.log shows…

type=AVC msg=audit(1145933006.151:76): avc: denied { getattr } for pid=2954 comm=“proftpd” name=“public_html” dev=sda3 ino=262902 scontext=root:system_r:ftpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir
type=SYSCALL msg=audit(1145933006.151:76): arch=40000003 syscall=196 success=no exit=-13 a0=bfdab3db a1=bfdb1438 a2=634ff4 a3=bfdab3db items=1 pid=2954 auid=0 uid=0 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm=“proftpd” exe="/usr/sbin/proftpd"
type=AVC_PATH msg=audit(1145933006.151:76): path="/public_html"
type=CWD msg=audit(1145933006.151:76): cwd="/"
type=PATH msg=audit(1145933006.151:76): item=0 name="/public_html" flags=0 inode=262902 dev=08:03 mode=040755 ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1145933087.440:77): avc: denied { getattr } for pid=2954 comm=“proftpd” name=“public_html” dev=sda3 ino=262902 scontext=root:system_r:ftpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir
type=SYSCALL msg=audit(1145933087.440:77): arch=40000003 syscall=196 success=no exit=-13 a0=bfdab3db a1=bfdb1438 a2=634ff4 a3=bfdab3db items=1 pid=2954 auid=0 uid=0 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm=“proftpd” exe="/usr/sbin/proftpd"
type=AVC_PATH msg=audit(1145933087.440:77): path="/public_html"
type=CWD msg=audit(1145933087.440:77): cwd="/"
type=PATH msg=audit(1145933087.440:77): item=0 name="/public_html" flags=0 inode=262902 dev=08:03 mode=040755 ouid=500 ogid=500 rdev=00:00
type=USER_AUTH msg=audit(1145933293.249:78): user pid=2988 uid=0 auid=0 msg=‘PAM authentication: user=ciphex exe="/usr/sbin/proftpd" (hostname=24.20.202.166, addr=24.20.202.166, terminal=? result=Success)’
type=USER_ACCT msg=audit(1145933293.249:79): user pid=2988 uid=0 auid=0 msg=‘PAM accounting: user=ciphex exe="/usr/sbin/proftpd" (hostname=24.20.202.166, addr=24.20.202.166, terminal=? result=Success)’
type=USER_START msg=audit(1145933293.253:80): user pid=2988 uid=0 auid=0 msg=‘PAM session open: user=ciphex exe="/usr/sbin/proftpd" (hostname=24.20.202.166, addr=24.20.202.166, terminal=? result=Success)’
type=CRED_ACQ msg=audit(1145933293.253:81): user pid=2988 uid=0 auid=0 msg=‘PAM setcred: user=ciphex exe="/usr/sbin/proftpd" (hostname=24.20.202.166, addr=24.20.202.166, terminal=? result=Success)’
type=AVC msg=audit(1145933298.637:82): avc: denied { getattr } for pid=2988 comm=“proftpd” name=“public_html” dev=sda3 ino=262902 scontext=root:system_r:ftpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir
type=SYSCALL msg=audit(1145933298.637:82): arch=40000003 syscall=196 success=no exit=-13 a0=bfdab3db a1=bfdb1438 a2=634ff4 a3=bfdab3db items=1 pid=2988 auid=0 uid=0 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm=“proftpd” exe="/usr/sbin/proftpd"
type=AVC_PATH msg=audit(1145933298.637:82): path="/public_html"
type=CWD msg=audit(1145933298.637:82): cwd="/"
type=PATH msg=audit(1145933298.637:82): item=0 name="/public_html" flags=0 inode=262902 dev=08:03 mode=040755 ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1145933302.497:83): avc: denied { getattr } for pid=2988 comm=“proftpd” name=“logs” dev=sda3 ino=262904 scontext=root:system_r:ftpd_t tcontext=system_u:object_r:httpd_log_t tclass=dir
type=SYSCALL msg=audit(1145933302.497:83): arch=40000003 syscall=196 success=no exit=-13 a0=bfdab3db a1=bfdb1438 a2=634ff4 a3=bfdab3db items=1 pid=2988 auid=0 uid=0 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm=“proftpd” exe="/usr/sbin/proftpd"
type=AVC_PATH msg=audit(1145933302.497:83): path="/logs"
type=CWD msg=audit(1145933302.497:83): cwd="/"
type=PATH msg=audit(1145933302.497:83): item=0 name="/logs" flags=0 inode=262904 dev=08:03 mode=040755 ouid=500 ogid=500 rdev=00:00

~Tony