Previous 1 2 3 Next 33 Replies Latest reply: May 3, 2007 3:31 AM by tobias Eichner
R Bryan Harrison Level 2 Level 2 (210 points)
It seems that either the 10.4.9 Sever Upgrade or the recent security update has disastrously altered the behavior of FTP in my configuration.

While FTP users are still sent to their home directories at logon, they're now free to CWD to get above those directories.

Worse, FTP now apparently perceives "/" as being the root level of the boot drive of the server, rather than the FTPRoot configuration in the Server Admin app. This gives FTP users inappropriate access to files that are outside of any sharepoint.

These behaviors persist unchanged even if I unshare everything - i.e., FTP users have all this access even if there are no sharepoints configured. Given the default o=rx configuration of many of the directories at "/" in a conventional X Server instillation, this is a nightmare.

Server Admin's "Advanced" settings for FTP now seem to have no effect whatsoever. Ironically, this means it's impossible to provide FTP users any access whatsoever to sharepoints. It makes no different what I setup - the behaviors described above persist. I can even specify user home directories outside of any sharepoint and FTP will provide access to them. Failure to specify a home directory dumps the user at the root level of the server's boot drive, not the FTPRoot. My only control over any of it is to turn FTP off entirely, which of course I have, much to the distress of my users.

I note that the normal creation of symbolic links in "/Library/FTPServer/FTPRoot" has been somehow suspended. Nothing ever happens, regardless of how I change settings.

I don't use anonymous FTP, and so have no idea how that would impact this mess.

As I'm sure is obvious, I'm now way beyond my expertise. Questions, suggestions... anything at all would be welcome.


G5 DP 2.5 ghz, etc., Mac OS X (10.4.9), OS X Server 10.4.9
  • Joakim Hartmann-Petersen Level 1 Level 1 (15 points)

    I have other problems, ( ) and I just tested, and I also have the same problems you are having (on 2 different servers)

    So far, I can see, that the /system/library/launchdaemon/ftp.plist has changed from using the program xftpd to using the program ftpd.

    I tried yesterday to change the plist and i seemed ok, but the new one (ftpd) was quicker so i reverted. BUT with your discoveries will make me change the plist file back to pre 2007-004 security update.

    Or, perhaps make all the config files as ftpd expects to find ind the /etc/ lib. (try man ftpd)

    This is my pre 2007-004 security update ftp.plist:

    # cat pre.2007-004.ftp.plist
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "">
    <plist version="1.0">

    The biggest disaster is, that Apple wrote, that the change on the lukemftpd -> tnftpd wasn't an issue on OS X Server (perhaps they meant something other, that what I understood)

  • Zach Marano Level 1 Level 1 (0 points)
    The security update caused this behavior on MacOS X Server. I have 7 servers that run FTP services for various reasons and they are all affected. I have had to shut off FTP until I can figure out a fix. With hope Apple comes out with a fix in short order.
  • Joakim Hartmann-Petersen Level 1 Level 1 (15 points)
    I have changed to the old plist. ACL (se my originale thread) works and you can't cd / (well, you can, but you get what you expect - the root of your home)

    I think everything is back by that change. I will however revert back just before the next update, to see, if Apple has made the error right again.

    One thing I'm missing now: the logging to the ftp.log file. The new tnftpd could log login/transfer etc. to ftp.log, but the pre sec.upd. can't.
  • Zach Marano Level 1 Level 1 (0 points)
    Changing the ftp.plist file is a great solution. Thanks for that. I was already trying to create a ftpd.conf file in /etc to get ftpd working correctly. However, I wasn't having any immediate success. In any case, it seems like it was an oversight by Apple to only create one security update for both OS X 10.4.9 client and server. They are not equal. I hope nothing else was taken under as well.
  • Bryan K. Vines Level 3 Level 3 (835 points)
    Thanks, you're a lifesaver. I've been wrestling for the past couple of hours with this issue. I was migrating from Server 10.3.9 to Server 10.4.x, and I applied all the updates to get it to 10.4.9 before I noticed the FTP issue.

    I thought it was just me. Fortunately I have more than one 10.4.x server handy; the other two are running 10.4.8.

    Now that I think about it though, this is the second time to my knowledge that Apple has broken FTP. The last time was back in the 10.2 days, and it broke file sharing via FTP on 10.2.x client computers.

    Anyway, thanks a bunch for posting that message. I've adjusted the ftp.plist to use xftp again, and all is well.

    Bryan VInes

    Lots of Macs    
  • R Bryan Harrison Level 2 Level 2 (210 points)
    That's great - I can't thank you enough.

    I wish I fully understood both the problem and the fix, but until I have to time study and work it out, I'm very happy with the band-aid.

  • Daniel Sofer Level 1 Level 1 (65 points)
    I don't consider editing the plist file a RESOLUTION of this topic.

    - For one, while it does solve the root access problem, it still does not get users back into their Home Directory only. The Server Admin settings are still ignored.

    Apple, me and my 150 paying web hosting customers are hoping you fix this soon.

    Daniel Sofer
    Hermosawave Internet
  • webjedi Level 1 Level 1 (0 points)
    Yes, this is a disaster. All the share points listed are poof gone. I can only suggest SFTP to folks now since this functionality is busted, which is NOT good.

    I would have expected an update to the Admin Tool for the server side if they were making such a drastic change.

    Personally, I'm seeing, that I will now despise the iPhone due to what it's done to QA resources for OS X. This I think is the result. (great and an October release of Leopard.. psssh)

    Anyhow, I have yet to try the PLIST fix, but I think trolling through the man page for the new FTP server to fix this issue. I'll keep you all posted.
  • webjedi Level 1 Level 1 (0 points)
    Yeah, there isn't a "resolution" here.

    I think we're looking for why the ftpd is not accessing and utilizing files found here:


    ftpaccess is one of the big ones, since this is what defines what a major bit of the functionality of the ftpd server will follow, including permissions.

    According to the tnftpd man page, it's looking for this:

    /etc/ftpchroot List of normal users whose root directory should be
    changed via chroot(2).
    /etc/ftpd.conf Configure file conversions and other settings.
    /etc/ftpusers List of unwelcome/restricted users.
    /etc/ftpwelcome Welcome notice before login.
    /etc/motd Welcome notice after login.
    /etc/nologin If it exists, displayed and access is refused.
    State file of logged-in processes for the tnftpd class
    /var/run/utmp List of logged-in users on the system.
    /var/log/wtmp Login history database.

    None of which exist after the update. Apple, what hath though wrought?
  • R Bryan Harrison Level 2 Level 2 (210 points)
    While we can debate the semantics of the word "resolved" (and I agree Apple has resolved nothing), I do want to note one more time that with Joakim's backup "ftp.plist" and some fussing, I've been able to restore all the previous functionality of my configuration, including appropriate access to home directories and sharepoints.

    The solutions I've found are inelegant enough to make me wince, but I'll describe them in detail if anyone cares. Of course, Server Admin's interface to WuFTP makes me wince as well - it's nearly as bad as its godawful DNS interface. And as so many people have noted over the years, WuFTP itself is a bit of a dog.

    This particular mess is certainly infuriating, but given Apple's stated priorities with regard to the iPhone and OS X, I'll be pleasantly surprised if we see a fix anytime soon. In the meantime, I'm grateful for everyone's help as I have neither the time nor the inclination to replace WuFTP with a more elegant solution right now.

    In general, I find OS X Server's evolution toward something that might actually live up to its hype to be extremely slow, it's documentation to be so shallow as to be useless, and both the rate at which bugs are fixed and the frequency with which updates introduce new ones to be unfortunate... At best, it's always struck me as an adequate implementation of a great idea. I've been using it since its initial release, and have always though it a real shame Apple doesn't assign it enough resources for it to fulfill its potential.

    I often feel vaguely as though I'm having a long-term affair with a sweet, beautiful drunk. (Of course when I consider the alternatives, I have to concede that it's better than the norm, which seems more like being involved with plug-ugly violent drunk.)

  • Joakim Hartmann-Petersen Level 1 Level 1 (15 points)
    Well, It works here. Did you just change the program name??
    or did you revert to the original ftp.plist. (hint: there is more changes than just the name)
    I have just tried changing the SA->FTP-> Advanced and tried all 3 options.
    FTP root and share points: FTP user started ind home dir. CD/ gave shares (FTP root is below one of the shares)
    Home Dir With Shares: FTP Users started in home dir. CD / still gave home dir and There was the link to FTPRoot where my shares was.
    Home Dir only: Ftp user started in home dir and there was a FTPRoot link but it didnt point anywhere (was left over from the previous test)

    I cant see, whats missing.
    Please clarify
  • Daniel Sofer Level 1 Level 1 (65 points)
    Jokaim, Bryan:
    Thanks for the responses.
    I replaced my ftp.plist with yours and now the ftp won't start from the Server Admin, yet an ftp service is running.

    I'll take another look soon.

  • Joakim Hartmann-Petersen Level 1 Level 1 (15 points)
    Did you restart the server after the change?
    The FTP server only disappeard after a restart

    What greeting did the ftp server give you (tnftpd?)

  • Daniel Sofer Level 1 Level 1 (65 points)
    Hi Joakim:
    Yes after I restarted, the mystery ftp server disappeared

    After poking around with many iterations of the plist file, I was able to get the FTP server working properly again.

    I think my problems were:
    -- Copying your plist from the discussions page and pasting directly into the terminal -- when I pasted into BBEdit first , removed your comment line, reflowed and saved, and then pasted into terminal>pico -- it was happier.
    -- Trying to start the server with the Server Admin instead of rebooting the entire server.

    Okay, I can exhale now! Thanks for your help.

    Daniel Sofer
    Hermosawave Internet
Previous 1 2 3 Next