Previous 1 2 3 Next 33 Replies Latest reply: May 3, 2007 3:31 AM by tobias Eichner Go to original post
  • guillaumegete Level 1 Level 1 (0 points)
    Well, after I tested this, I can tell you what happened.

    The 2007-004 Security Update replaced the ftp.plist in /System/Library/LaunchDaemons from Mac OS X server with the version from Mac OS X Client. There is no check in the installer if the update installs on client or Server, and it is the same update for both.

    But, of course, FTP services on client and server are very different. With the client ftp.plist from client on the server, it is ftpd which is launched, not xftpd.

    The solution is to replace the ftp.plist with a previous version from Mac OS X Server. If you don't have it, here is its content :

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "">
    <plist version="1.0">

    Restart the server (relaunching the FTP service is not enough), and you should be up and running.

    MacBook Pro 1,8 GHz Core Duo   Mac OS X (10.4.9)  
  • Mike Matthews Level 1 Level 1 (10 points)
    A thousand thank-yous for this. We're using Sandvox to create websites for posting (via FTP) on Mac OS X Server and this seems to have fixed our little problem.

    I think Security Update 2004-007 prevented FTP from starting up, and mangled the ability of web broswers to furnish some of the files that were uploaded via FTP when the incorrect ftp.plist file was present.

    I know just enough to be dangerous. Thank goodness for this forum.

  • dexterous Level 1 Level 1 (0 points)

    Its very important that we submit bug reports on these issues. Apple does read them and they do take action when enough people submit reports. Here is the page to submit server related issues:
  • Peter da Silva Level 1 Level 1 (0 points)
    Personally, I'd suggest using something other than FTP.

    But if you're going to use FTP, and security is a concern, Apple's xftpd is apparently just a version of wu_ftpd... and I wouldn't use wu_ftpd for a server hosting hostile users. It's just too big and complex. I'd recommend Troll_FTPd or one of its descendants like Pure-ftpd.
  • tking13 Level 1 Level 1 (0 points)
    Changing the ftp.plist file back to its pre-Security Update contents fixed the worst of my problems (ie. users getting access to root), but I haven't been able to figure out another problem I've had with my FTP server since applying the Security Update.

    i can't figure out why ftp users don't go straight to their home directories upon login; instead they're being placed at FTP root. This is causing some user confusion when they try to open folders they don't have permissions for.

    I'm fairly certain that I have the home folders for these FTP-only accounts set up properly, but it just doesn't work right any more.

    From the discussion here, it seems that there are other changes at play than just the root issue, though I didn't notice anything specifically about this problem. Does this ring a bell to anyone? Any suggestions? Thanks in advance,

    Tim King
  • R Bryan Harrison Level 2 Level 2 (210 points)

    What do you have set under FTP Advanced Settings?

  • tking13 Level 1 Level 1 (0 points)
    Authenticated users see: Home Directory Only
    FTP root: /Volumes/Production RAID/FTP Mosh/

    any user who logs in sees the FTP Mosh folder, rather than the home directory defined for each user. For instance, the home directory for the FTP Guest user is set to "/Volumes/Production\ RAID/FTP\ Mosh/pub", but gets dropped in FTP Mosh instead. It's not a huge problem (users can get to the folders they're supposed to), but it does cause a fair amount of user confusion (& increased support calls).

    I think I have the home directory defined properly, although I am a little unclear as to whether the home directory should be defined using a standard POSIX path (as it is) or if it should actually use the non-escaped form that the definition of the FTP root does...

    It USED to work, though I may have changed something before finding out about the security update problem.

    Thanks for the help.

    Tim King
  • Mike Matthews Level 1 Level 1 (10 points)
    Apple released Security Update 2007-004 v1.1 today to fix the FTP server problem:

    CVE-ID: CVE-2007-0745
    Available for: Mac OS X Server v10.4.9
    Impact: Users with ftp access may be able to navigate to directories
    outside the normal scope
    Description: Security Update 2007-004 applied an incorrect ftp
    configuration file for Mac OS X Server v10.4.9 systems. Users with
    ftp access, who would normally be restricted to certain directories,
    may be able to access directories outside the normal scope. This
    update addresses the issue by restoring the correct version
    of the ftp configuration file. This issue only affects
    Mac OS X Server v10.4.9 with Security Update 2007-004.

    Any brave soul tested it yet?

  • Martin Geskalney Jones Level 1 Level 1 (85 points)
    Yes, I've tried it. So far so good.

    Though the above fix got me out of hot water before the patch came along.
  • guillaumegete Level 1 Level 1 (0 points)
    Guys, it's time to update using Security Update v1.1

  • tobias Eichner Level 3 Level 3 (570 points)
    Interestingly... I just have a QuickTime update waiting for being installed when checking for new software.

    Does Apple make updates for PPC/Intel platforms available on different dates ?

    Would be interesting to know if this update just generates the same error again instead of fixing it ?
  • tobias Eichner Level 3 Level 3 (570 points)
    I experienced the same problem and was able to fix it by using an older ftp.plist as advised. Thanks for your help

    Anyway, I noticed about this problem just a few days ago by incident. Interestingly in Server Admin the FTP service was turned off (I'm absolutely sure that it was ON). Can this anyone confirm ?

    Therefore I don't hope that security was hurt too much. Is there any reliable method to check if logged in ftp users not just having browsed the directories not intended for them, but also modified/copied files in there (all users with ftp access are member of group "staff") ? Maybe searching by all files owned by a certain group or user ?

    I guess that no anonymous ftp logins were allowed (at least I have them disabled in Server Admin for sure)... or has anyone experienced such trouble ?
  • Mike Matthews Level 1 Level 1 (10 points)
    Anyway, I noticed about this problem just a few days
    ago by incident. Interestingly in Server Admin the
    FTP service was turned off (I'm absolutely sure that
    it was ON). Can this anyone confirm ?

    This happend to me.
  • tobias Eichner Level 3 Level 3 (570 points)
    This happend to me.

    Great (If the overall situation allows such a positive expression

    So the chance is high that even an abusive user hasn't caused any damage, because ftp was simply not working.
  • guillaumegete Level 1 Level 1 (0 points)
    I tested it today, and indeed, the new update replaces the ftp.plist file with the right one.

    Good !