| Summary: | connection to pure-ftp server fails because ftp user id <1000 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | christian barranco <chb0> |
| Component: | RPM Packages | Assignee: | Pascal Terjan <pterjan> |
| Status: | NEW --- | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | johnltw, ouaurelien |
| Version: | 8 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | pure-ftpd-1.0.47-7.mga8.src.rpm | CVE: | |
| Status comment: | |||
complement : the user has an uid <1000 because it looks like pure-ftp creates the user ftp with UID and GID equal to 969 $ id ftp uid=969(ftp) gid=969(ftp) groupes=969(ftp) workaround: edit /etc/pure-ftpd/pure-ftpd.conf and change minimum UID to be 500 instead of 1000 MinUID 500 Shouldn't this configuration file be already modified accordingly when the package is installed? Normally on newer installs since Mageia 6 real users should have an USERID >1000. For Mageia 8, systems services have been enabled to have userID <1000. CC:
(none) =>
ouaurelien Hi Aurelien It is why I think the fix should be to send the /etc/pure-ftpd/pure-ftpd.conf configuration file with the modification I proposed. It is compliant with Mageia 8 policy. (In reply to Aurelien Oudelet from comment #3) > Normally on newer installs since Mageia 6 real users should have an USERID > >1000. > > For Mageia 8, systems services have been enabled to have userID <1000. Not a specific comment related to *this* bug report per se, but I've noticed a bit of inconsistency related to the UID numbering scheme since installing 8. For example, lines 38-42 from /etc/profile prevent trivial games folders from being added to the PATH of a low-level (UID < 1000) user -- just as would be expected under this new(ish) paradigm: ┌──── │ # Path manipulation │ if [ "$UID" -ge 1000 ] ; then │ pathmunge /usr/local/games after │ pathmunge /usr/games after │ fi └──── Yet, on lines 146-150 in /etc/sddm.conf (freshly patched only a couple of days ago due to Bug 28378) we see: ┌──── │ #### Mageia-specific configuration │ │ [Users] │ MinimumUid=500 │ RememberLastUser=true └──── Shouldn't the MinimumUid here not also bee 1000? CC:
(none) =>
johnltw > Can't login as [printeruser]: account disabled (uid < 1000) > the user has an uid <1000 because it looks like pure-ftp creates the > user ftp with UID and GID equal to 969 > edit /etc/pure-ftpd/pure-ftpd.conf and change minimum UID to be 500 > instead of 1000 > MinUID 500 > Shouldn't this configuration file be already modified accordingly when > the package is installed? Thank you christian for the report, and the reason/workaround. It looks as if it would be equally valid for the package to create UIDs >1000. Assigning to Pascal as the registered and latest maintainer of this SRPM. ----- Comment 5 re SDDM MinimumUid=500 (thanks John for the pointer) @Aurélien : if this is valid (it is true), should we ask John to raise a specific bug on it? You might have other views. Assignee:
bugsquad =>
pterjan (In reply to Lewis Smith from comment #6) snip > > Comment 5 re SDDM MinimumUid=500 (thanks John for the pointer) > @Aurélien : if this is valid (it is true), should we ask John to raise a > specific bug on it? You might have other views. No because of existing installations from at least Mageia 5 or 6 will see no users listed at login prompt. (In reply to Aurelien Oudelet from comment #7) > (In reply to Lewis Smith from comment #6) > snip > > > > Comment 5 re SDDM MinimumUid=500 (thanks John for the pointer) > > @Aurélien : if this is valid (it is true), should we ask John to raise a > > specific bug on it? You might have other views. > > No because of existing installations from at least Mageia 5 or 6 will see no > users listed at login prompt. No, it should be fixed to 1000 from spec %config(noreplace) %{_sysconfdir}/sddm.conf wixh means it will work on upgrades as it wont be replaced, but new installs get the correct new value of 1000 I am not sure what the right solution is. For real users, they will have uid >= 1000 and all work as expected, same for system users not allowed to login. For virtual users it seems it is the UID of the server which is by design a system user < 1000. I see the same problem reported on various distros over the last 10 years but with only workarounds... Basically this is the problem: "pure-pw useradd printeruser -u ftp -d /home/user/Public" There should be another user to map virtual users to rather than the one running the server. (In reply to Pascal Terjan from comment #10) > Basically this is the problem: "pure-pw useradd printeruser -u ftp -d > /home/user/Public" > > There should be another user to map virtual users to rather than the one > running the server. Hi Not sure I follow you. printeruser is indeed a virtual user, not a regular user of the server. Could you elaborate? Thanks The command "pure-pw useradd printeruser -u ftp -d /home/user/Public" says to create a virtual user called "printeruser" with the uid of the user "ftp", and the user "ftp" is not allowed to login. @ Lewis Smith, Aurelien Oudelet, and Thomas Backlund (In reply to Lewis Smith from comment #6) > Comment 5 re SDDM MinimumUid=500 (thanks John for the pointer) > @Aurélien : if this is valid (it is true), should we ask John to raise a > specific bug on it? Done. Clearly my observation *is* a point of contention but I didn't intend for it to derail discussion of Christian's bug. New report filed at Bug 28624. Thanks for that. Dealt with. @ Auréliene, tmb, Pascal Please note the other Bug 28624 for the SDDM UID issue. I have copied the few relevant comments from this bug to that. (In reply to Pascal Terjan from comment #12) > The command "pure-pw useradd printeruser -u ftp -d /home/user/Public" says > to create a virtual user called "printeruser" with the uid of the user > "ftp", and the user "ftp" is not allowed to login. Thanks Pascal. Clear. I thought the command I used to create the virtual user was per pure-ftp manual. I need to check that again. Or would you have a recommendation already? Unfortunately no, I still don't know how to fix it, just that it is the problem :( - The user needs to be < 1000, else it will be shown in DM and allowed to login with some other apps. - We don't want pure-ftpd to allow login with other system users, which would happen if we lowered MinUID I think the only proper fix would be a change in pure-ftpd code to allow ignoring minuid for virtual users. I'll try to ask on their mailing list. (In reply to Pascal Terjan from comment #16) > > - We don't want pure-ftpd to allow login with other system users, which > would happen if we lowered MinUID > Hi What is the risk associated? Shouldn't the user be explicitly added to allow a connection anyway? Does it create a breach in the security setup? The problem is when using real users. If some system user has no password for example and is only restricted by it's shell being /bin/nologin or equivalent, there is a risk people would be able to login as that user. So the MinUID is useful in that case to protect from other misconfigurations giving access to those users. When using virtual users this doesn't matter, as they always use pure-ftpd's user, but MinUID still applies if set. Thanks Pascal. Clear. I always use virtual user. So, in that case, there is no risk, as far as I understand you. However, there will be a conflict with MinUID, still. So, my conclusion is, and I might stretch it, the default configuration file doesn't allow a straightforward installation with Mageia ie. it will always need adjustments with virtual user usage. Should at least a comment be put on our configuration file to alert about this issue? (In reply to christian barranco from comment #2) > workaround: > > edit /etc/pure-ftpd/pure-ftpd.conf and change minimum UID to be 500 instead > of 1000 > > MinUID 500 > The workaround above is mandatory to get it work. At least, I have not found anything else. Should this report be closed, or is there any action to be taken? |
Description of problem: Impossible to connect to fpt server with virtual user created with pure-ftp because account disabled (uid < 1000) Version-Release number of selected component (if applicable): MGA8 installation How reproducible: always Steps to Reproduce: 1.urpmi pure-ftpd 2.systemctl enable --now pure-ftpd 3.edit /etc/pure-ftpd/pure-ftpd.conf 3.1 change NoAnonymous yes 3.2 uncomment PureDB /etc/pure-ftpd/pureftpd.pdb 4.create virtual user printeruser and its working folder pure-pw useradd printeruser -u ftp -d /home/user/Public 5.pure-pw mkdb 6.open ftp port in firewall 7.try to connect from a client with filezilla for instance 8. on the server, systemctl status pure-ftpd ● pure-ftpd.service - LSB: Pure FTPd FTP server Loaded: loaded (/etc/rc.d/init.d/pure-ftpd; generated) Active: active (running) since Mon 2021-03-15 11:43:28 CET; 24s ago Docs: man:systemd-sysv-generator(8) Process: 3954 ExecStart=/etc/rc.d/init.d/pure-ftpd start (code=exited, status=0/SUCCESS) Main PID: 3964 (pure-ftpd) Tasks: 1 (limit: 19137) Memory: 840.0K CPU: 84ms CGroup: /system.slice/pure-ftpd.service └─3964 /usr/sbin/pure-ftpd /etc/pure-ftpd/pure-ftpd.conf mars 15 11:43:28 cbct-serv systemd[1]: Starting LSB: Pure FTPd FTP server... mars 15 11:43:28 cbct-serv pure-ftpd[3954]: Lancement du serveur ftp ( Pure-ftpd ) : [ OK ] mars 15 11:43:28 cbct-serv systemd[1]: Started LSB: Pure FTPd FTP server. mars 15 11:43:47 cbct-serv pure-ftpd[3985]: (?@192.168.1.21) [INFO] New connection from 192.168.1.21 mars 15 11:43:47 cbct-serv pure-ftpd[3985]: (?@192.168.1.21) [WARNING] Can't login as [printeruser]: account disabled (uid < 1000) mars 15 11:43:49 cbct-serv pure-ftpd[3985]: (?@192.168.1.21) [INFO] Logout. [barthol@cbct-serv ~]$ man pureftp 9.on the client, connection fails