How to disable FOG FTP passive mode?

Sebastian Roth

@Single Welcome back. Please run the following commands and post output here.

ls -al /images
ls -al /images/dev
getenforce
df -h

Single

@Sebastian-Roth OK, THX!

root@nik-buz-s01:~# ls -al /images
total 896
drwxrwxrwx 26 fogproject ftp          4096 Mar 11 10:15 .
drwxr-xr-x 23 root       root         4096 Dec 10 08:56 ..
-rw-r--r--  1 fogproject fogproject   3235 Mar 11 10:12 123
drwxrwxrwx  2 fogproject ftp          4096 Nov 27 01:09 buz1
drwxrwxrwx  2 fogproject ftp          4096 Nov 27 01:21 buz10
drwxrwxrwx  2 fogproject ftp          4096 Nov 27 00:45 buz11
drwxrwxrwx  2 fogproject ftp          4096 Nov 27 00:44 buz12
drwxrwxrwx  2 fogproject ftp          4096 Nov 27 00:21 buz13
drwxrwxrwx  2 fogproject ftp          4096 Nov 27 02:29 buz14
drwxrwxrwx  2 fogproject ftp          4096 Nov 27 02:09 buz15
drwxrwxrwx  2 fogproject ftp          4096 Nov 27 02:06 buz16
drwxrwxrwx  2 fogproject ftp          4096 Nov 27 01:45 buz17
drwxrwxrwx  2 fogproject ftp          4096 Nov 27 01:29 buz18
drwxrwxrwx  2 fogproject ftp          4096 Nov 27 07:18 buz19
drwxrwxrwx  2 fogproject ftp          4096 Nov 27 02:47 buz2
drwxrwxrwx  2 fogproject ftp          4096 Mar 11 10:15 buz20
drwxrwxrwx  2 fogproject ftp          4096 Nov 27 02:51 buz3
drwxrwxrwx  2 fogproject ftp          4096 Nov 27 02:53 buz4
drwxrwxrwx  2 fogproject ftp          4096 Nov 27 05:30 buz5
drwxrwxrwx  2 fogproject ftp          4096 Nov 27 06:23 buz6
drwxrwxrwx  2 fogproject ftp          4096 Nov 27 02:26 buz7
drwxrwxrwx  2 fogproject ftp          4096 Nov 27 02:28 buz8
drwxrwxrwx  2 fogproject ftp          4096 Nov 27 01:26 buz9
drwxrwxrwx  6 fogproject ftp          4096 Mar  6 11:27 dev
-rw-rw-rw-  1 fogproject ftp        794038 Dec  7 12:57 fogdb.sql.bak
drwxrwxrwx  2 fogproject ftp         16384 Jun 29  2018 lost+found
-rw-r--r--  1 fogproject ftp             0 Mar 10 17:19 .mntcheck
drwxrwxrwx  2 fogproject ftp          4096 Jun 29  2018 postdownloadscripts
drwxrwxrwx  2 fogproject ftp          4096 Nov 27 03:42 s02

root@nik-buz-s01:~# ls -al /images/dev
total 24
drwxrwxrwx  6 fogproject ftp  4096 Mar  6 11:27 .
drwxrwxrwx 26 fogproject ftp  4096 Mar 11 10:15 ..
drwxrwxrwx  2 fogproject ftp  4096 Dec 24 21:10 10bf4879d7a6
drwxrwxrwx  2 root       root 4096 Mar 10 16:31 10bf4879d860
drwxrwxrwx  2 root       root 4096 Dec 24 11:19 c86000e14876
-rwxrwxrwx  1 fogproject ftp     0 Jun 29  2018 .mntcheck
drwxrwxrwx  2 fogproject ftp  4096 Jun 29  2018 postinitscripts

root@nik-buz-s01:~# getenforce
Disabled

root@nik-buz-s01:~# df -h
Filesystem      Size  Used Avail Use% Mounted on
udev            3.9G     0  3.9G   0% /dev
tmpfs           787M   84M  703M  11% /run
/dev/md1        103G  3.5G   94G   4% /
tmpfs           3.9G     0  3.9G   0% /dev/shm
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           3.9G     0  3.9G   0% /sys/fs/cgroup
/dev/sdc2       989G  392G  548G  42% /images
/dev/sdc1       845G  747G   56G  94% /data
tmpfs           787M     0  787M   0% /run/user/1000

Sebastian Roth

@Single Please run these as well:

id fogproject
id ftp
ps aux | grep ftp

Single

@Sebastian-Roth

root@nik-buz-s01:~# id fogproject
uid=1002(fogproject) gid=1003(fogproject) groups=1003(fogproject),113(ftp)
root@nik-buz-s01:~# id ftp
uid=106(ftp) gid=113(ftp) groups=113(ftp)
root@nik-buz-s01:~# ps aux | grep ftp
root       717  0.0  0.0   2800   924 ?        Ss   Feb24   0:00 /usr/sbin/in.tftpd --listen --user root --address :69 --ipv4 -s /tftpboot
root      5411  0.0  0.0   6704   888 pts/0    S+   17:32   0:00 grep ftp
root     13669  0.0  0.0   6620  2456 ?        Ss   Mar10   0:25 /usr/sbin/vsftpd /etc/vsftpd.conf

Sebastian Roth

@Single Please try logging into FTP via command line client and try renaming/moving those directories:

ftp fog.server.ip.add
...
ls /images/dev
rename /images/dev/10bf4879d860 /images/buz20_test

Single

@Sebastian-Roth said in How to disable FOG FTP passive mode?:

rename /images/dev/10bf4879d860 /images/buz20_test

ftp> ls /images/dev
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Transfer done (but failed to open directory).
ftp> rename /images/dev/10bf4879d860 /images/buz20_test
550 RNFR command failed.

Why???

FTP is allowed in nft firewall

...
ct state new tcp dport { ftp-data, ftp } accept comment "Allow access to FTP-server"
...

Sebastian Roth

@Single Try changing the ownership (chown -R fogproject:fogproject /images) and then FTP again. Doesn’t make sense, but give it a go.

Single

@Sebastian-Roth nothing changed

Sebastian Roth

@Single I can’t imagine this to be a firewall issue though we can make sure. Just use ftp command line client directly on the FOG server (ftp localhost) and try rename.

Single

# mount | grep images
/dev/sdc2 on /images type ext4 (rw,relatime)

Now it’s looks like it is vsftpd problem. Mb it can be helpful if I paste my vsftpd.conf here:

max_per_ip=200

anonymous_enable=NO
userlist_enable=YES
userlist_file=/etc/vsftpd/vsftpd.userlist
user_config_dir=/etc/vsftpd/user_config_dir/
userlist_deny=NO
local_enable=YES
virtual_use_local_privs=YES

write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES

xferlog_std_format=NO
log_ftp_protocol=YES
vsftpd_log_file=/var/log/vsftp.log

chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
allow_writeable_chroot=YES

listen=YES
listen_ipv6=NO

pam_service_name=vsftpd

pasv_enable=NO
tcp_wrappers=YES
seccomp_sandbox=NO

#cat /etc/vsftpd/user_config_dir/fogproject 
local_root=/images
write_enable=YES

Sebastian Roth

@Single said in How to disable FOG FTP passive mode?:

Mb it can be helpful if I paste my vsftpd.conf here

You are kidding, right?!?! I have not tested this yet but I am fairly sure the config is causing the issue. If you had told us you have a modified config (different from what FOG generates for you) then we would have found the solution in no time.

chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
allow_writeable_chroot=YES

Pretty sure this is part of the issue. But there might be other config options as well.

Default config generated by FOG:

max_per_ip=200
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=NO
seccomp_sandbox=NO

Single

I’ll check and let you know
Probably I was stupid but it was required to have more than one FTP user with different FTP folders in that server.

Sebastian Roth

@Single It’s all good, you are allowed to modify the config on your server to whatever you want. Just saying that letting us know right away would have saved you a lot of time.

Single

@Sebastian-Roth Thx for your help, Sebatian!
I commented out line

chroot_local_user=YES

And now everything is just fine about my FOG installation.
MB it makes sense to add into FOG wiki - that vsftpd option is incompatible to FOG.

Now I need to find a way to chroot one user but not to chroot other, but it is definitely not a FOG problem. (And, it’s simple)

Thanks again.

Best regards!