7552 Views Previous 1 2 3 Next 33 Replies Latest reply: May 3, 2007 3:31 AM by tobias Eichner Go to original post
Well, after I tested this, I can tell you what happened.
The 2007-004 Security Update replaced the ftp.plist in /System/Library/LaunchDaemons from Mac OS X server with the version from Mac OS X Client. There is no check in the installer if the update installs on client or Server, and it is the same update for both.
But, of course, FTP services on client and server are very different. With the client ftp.plist from client on the server, it is ftpd which is launched, not xftpd.
The solution is to replace the ftp.plist with a previous version from Mac OS X Server. If you don't have it, here is its content :
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
Restart the server (relaunching the FTP service is not enough), and you should be up and running.
MacBook Pro 1,8 GHz Core Duo Mac OS X (10.4.9)
A thousand thank-yous for this. We're using Sandvox to create websites for posting (via FTP) on Mac OS X Server and this seems to have fixed our little problem.
I think Security Update 2004-007 prevented FTP from starting up, and mangled the ability of web broswers to furnish some of the files that were uploaded via FTP when the incorrect ftp.plist file was present.
I know just enough to be dangerous. Thank goodness for this forum.
Its very important that we submit bug reports on these issues. Apple does read them and they do take action when enough people submit reports. Here is the page to submit server related issues:
Personally, I'd suggest using something other than FTP.
But if you're going to use FTP, and security is a concern, Apple's xftpd is apparently just a version of wu_ftpd... and I wouldn't use wu_ftpd for a server hosting hostile users. It's just too big and complex. I'd recommend Troll_FTPd or one of its descendants like Pure-ftpd.
Changing the ftp.plist file back to its pre-Security Update contents fixed the worst of my problems (ie. users getting access to root), but I haven't been able to figure out another problem I've had with my FTP server since applying the Security Update.
i can't figure out why ftp users don't go straight to their home directories upon login; instead they're being placed at FTP root. This is causing some user confusion when they try to open folders they don't have permissions for.
I'm fairly certain that I have the home folders for these FTP-only accounts set up properly, but it just doesn't work right any more.
From the discussion here, it seems that there are other changes at play than just the root issue, though I didn't notice anything specifically about this problem. Does this ring a bell to anyone? Any suggestions? Thanks in advance,
Authenticated users see: Home Directory Only
FTP root: /Volumes/Production RAID/FTP Mosh/
any user who logs in sees the FTP Mosh folder, rather than the home directory defined for each user. For instance, the home directory for the FTP Guest user is set to "/Volumes/Production\ RAID/FTP\ Mosh/pub", but gets dropped in FTP Mosh instead. It's not a huge problem (users can get to the folders they're supposed to), but it does cause a fair amount of user confusion (& increased support calls).
I think I have the home directory defined properly, although I am a little unclear as to whether the home directory should be defined using a standard POSIX path (as it is) or if it should actually use the non-escaped form that the definition of the FTP root does...
It USED to work, though I may have changed something before finding out about the security update problem.
Thanks for the help.
Apple released Security Update 2007-004 v1.1 today to fix the FTP server problem:
Available for: Mac OS X Server v10.4.9
Impact: Users with ftp access may be able to navigate to directories
outside the normal scope
Description: Security Update 2007-004 applied an incorrect ftp
configuration file for Mac OS X Server v10.4.9 systems. Users with
ftp access, who would normally be restricted to certain directories,
may be able to access directories outside the normal scope. This
update addresses the issue by restoring the correct version
of the ftp configuration file. This issue only affects
Mac OS X Server v10.4.9 with Security Update 2007-004.
Any brave soul tested it yet?
I experienced the same problem and was able to fix it by using an older ftp.plist as advised. Thanks for your help
Anyway, I noticed about this problem just a few days ago by incident. Interestingly in Server Admin the FTP service was turned off (I'm absolutely sure that it was ON). Can this anyone confirm ?
Therefore I don't hope that security was hurt too much. Is there any reliable method to check if logged in ftp users not just having browsed the directories not intended for them, but also modified/copied files in there (all users with ftp access are member of group "staff") ? Maybe searching by all files owned by a certain group or user ?
I guess that no anonymous ftp logins were allowed (at least I have them disabled in Server Admin for sure)... or has anyone experienced such trouble ?