After update, some users have root access through proftpd

[PRB]

This is the second time this happens to me, the first I fixed this by replacing the proftpd.conf file by the default one, anyway, this is a big security issue and should be fixed asap.

 

[myH2Oservers]

see also http://www.directadmin.com/forum/showthread.php?t=35460

the problem still exists (posted from mobile).

 

[ditto]

I can't replicate the issue on my server, it is not possible to go outside of users own home folder. I am using ProFTPd 1.3.3a on CentOS 5.5 64bit and newest DirectAdmin version.

 

[Arieh]

In the thread linked by DutchTSE, DA Staff says versions.txt to be downgraded to 1.3.2, but when I download the newest versions.txt it contains 1.3.3a so I take it this has been resolved?
What version are you running @PRB?

 

[myH2Oservers]

In the thread linked by DutchTSE, DA Staff says versions.txt to be downgraded to 1.3.2, but when I download the newest versions.txt it contains 1.3.3a so I take it this has been resolved?
What version are you running @PRB?

That thread talks about the 1.3.3 RC. Now the stable version is released, but this version also got the bug.

The bug is that SOMETIMES you login trough FTP and your homedir is the root of the server. The next 10 times you login it is your homedir and then suddenly you see the root again. However we got multiple (10+) reports of customers being confused why they saw the root of the server. So if you login and the homedir is your homedir you can't reach the root, but if you login and the root is the homedir then you are.. in the root

 

[Arieh]

So its better to run 1.3.2?

 

[daveyw]

Yes, because the bug is still not fixed.
You can view THIS post for downgrade back

 

[Arieh]

that actually is for 1.3.2 to 1.3.3, but thanks

I'm using ftpantivirus from http://www.directadmin.com/forum/showthread.php?t=30855 - only have to change the version in that file

 

[PRB]

A recent update for proftpd has been released which will resolve an important security issue. It's highly recommended that all admins update their systems to proftpd version 1.3.3c.
Some reading indicated to me that the issue was introduced in 1.3.2rc3 (not confirmed), so previous versions might not be affected, but upgrading anyway is still highly recommended.

So our servers were forced to update to this version and now the problem occurs again. Please fix this problem, it is unacceptable that users have root access to the server through FTP!!!

 

[scsi]

So why are you complaining here...if you think there is a problem complain to proftpd.

 

[PRB]

Then what do you people use to fix this? I am sure you are not allowing your users to have root login, right?

 

[nobaloney]

Whatever you might argue, the fact remains that DirectAdmin staff are not involved in fixing a bug in ProFTPd. Can you document that users logging in under their own username have complete root access to read and write anywhere on the system? If you can, then you should probably disable FTP completely until ProFTPd developers create a fix.

If you can't, then please tell us exactly what is happening.

Either way please tell us exactly which kind of ftp account his this problem:

Accounts created when creating a user account under DirectAdmin?

Accounts created from the root shell using adduser?

Virtual FTP accounts created for a given user/domain under DirectAdmin?

Jeff

 

[scsi]

Pure-ftpd is sounding better every day now...

 

[nobaloney]

Have you tried it? Is it easily installed into DirectAdmin?

Jeff

 

[scsi]

http://directadmin.com/forum/showpost.php?p=182059&postcount=4

I havent personally tried it yet...but I am thinking about it.

 

[PRB]

Can you document that users logging in under their own username have complete root access to read and write anywhere on the system

Yes, they have complete root access. They see the root of the server and can see all the files in for example the /etc directory. They also see the list of usernames in /home but cannot see the files of the specific users (thank god!). They however cant edit any file other than the files of their own account.

Either way please tell us exactly which kind of ftp account his this problem:

Accounts created when creating a user account under DirectAdmin?

Yes!

Accounts created from the root shell using adduser?

I have never used this command on any of my servers.

Virtual FTP accounts created for a given user/domain under DirectAdmin?

Again Yes!

 

[PRB]

http://directadmin.com/forum/showpost.php?p=182059&postcount=4

I havent personally tried it yet...but I am thinking about it.

I am considering it as well, has anyone tried this? Is it safe? Is it possible to switch back?

 

[PRB]

http://forums.proftpd.org/smf/index.php/topic,5194.0.html

Please post there if you have this problem. This is a serious problem and very unprofessional. Without a update we will have to find an alternative for ProFTP for 100+ servers.

 

[duke28]

how can i downgrade to 1.3.0 with custombuild please ?

 

[Woet]

Yes, they have complete root access. They see the root of the server and can see all the files in for example the /etc directory. They also see the list of usernames in /home but cannot see the files of the specific users (thank god!). They however cant edit any file other than the files of their own account.

If they cannot edit any file other than the files they own, they do not have root access. They are just not chrooted into their home directory.
While this is inconvenient, with a proper setup (if you followed the directadmin security tips) they will not be able to exploit anything at all.

I cannot see whether it's a bug in proftpd or DirectAdmin, but it's definitely not critical. I would recommend e-mailing [email protected] with your proftpd configuration and log files attached.