FTP Security Disaster

Question

FTP Security Disaster

It seems that either the 10.4.9 Sever Upgrade or the recent security update has disastrously altered the behavior of FTP in my configuration.

While FTP users are still sent to their home directories at logon, they're now free to CWD to get above those directories.

Worse, FTP now apparently perceives "/" as being the root level of the boot drive of the server, rather than the FTPRoot configuration in the Server Admin app. This gives FTP users inappropriate access to files that are outside of any sharepoint.

These behaviors persist unchanged even if I unshare everything - i.e., FTP users have all this access even if there are no sharepoints configured. Given the default o=rx configuration of many of the directories at "/" in a conventional X Server instillation, this is a nightmare.

Server Admin's "Advanced" settings for FTP now seem to have no effect whatsoever. Ironically, this means it's impossible to provide FTP users any access whatsoever to sharepoints. It makes no different what I setup - the behaviors described above persist. I can even specify user home directories outside of any sharepoint and FTP will provide access to them. Failure to specify a home directory dumps the user at the root level of the server's boot drive, not the FTPRoot. My only control over any of it is to turn FTP off entirely, which of course I have, much to the distress of my users.

I note that the normal creation of symbolic links in "/Library/FTPServer/FTPRoot" has been somehow suspended. Nothing ever happens, regardless of how I change settings.

I don't use anonymous FTP, and so have no idea how that would impact this mess.

As I'm sure is obvious, I'm now way beyond my expertise. Questions, suggestions... anything at all would be welcome.

Thanks,
Bryan

G5 DP 2.5 ghz, etc., Mac OS X (10.4.9), OS X Server 10.4.9

Posted on Apr 20, 2007 4:41 PM

Reply

Answer 1

Best reply

Joakim Hartmann-Petersen

Level 1

15 points

Apr 21, 2007 12:39 AM in response to R Bryan Harrison

Hi

I have other problems, ( http://discussions.apple.com/thread.jspa?threadID=933299&tstart=0 ) and I just tested, and I also have the same problems you are having (on 2 different servers)

So far, I can see, that the /system/library/launchdaemon/ftp.plist has changed from using the program xftpd to using the program ftpd.

I tried yesterday to change the plist and i seemed ok, but the new one (ftpd) was quicker so i reverted. BUT with your discoveries will make me change the plist file back to pre 2007-004 security update.

Or, perhaps make all the config files as ftpd expects to find ind the /etc/ lib. (try man ftpd)

This is my pre 2007-004 security update ftp.plist:

# cat pre.2007-004.ftp.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.apple.xftpd</string>
<key>Program</key>
<string>/usr/libexec/xftpd</string>
<key>ProgramArguments</key>
<array>
<string>xftpd</string>
<string>-a</string>
</array>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>SockPassive</key>
<true/>
<key>SockServiceName</key>
<string>ftp</string>
<key>SockType</key>
<string>SOCK_STREAM</string>
</dict>
</dict>
<key>inetdCompatibility</key>
<dict>
<key>Wait</key>
<false/>
</dict>
</dict>
</plist>

The biggest disaster is, that Apple wrote, that the change on the lukemftpd -> tnftpd wasn't an issue on OS X Server (perhaps they meant something other, that what I understood)

Reply

Answer 2

Apr 21, 2007 12:39 AM in response to R Bryan Harrison

The security update caused this behavior on MacOS X Server. I have 7 servers that run FTP services for various reasons and they are all affected. I have had to shut off FTP until I can figure out a fix. With hope Apple comes out with a fix in short order.

Reply

Answer 3

Apr 21, 2007 1:02 AM in response to Joakim Hartmann-Petersen

I have changed to the old plist. ACL (se my originale thread) works and you can't cd / (well, you can, but you get what you expect - the root of your home)

I think everything is back by that change. I will however revert back just before the next update, to see, if Apple has made the error right again.

One thing I'm missing now: the logging to the ftp.log file. The new tnftpd could log login/transfer etc. to ftp.log, but the pre sec.upd. can't.
Anybody?

Reply

Answer 4

Apr 21, 2007 1:53 AM in response to Joakim Hartmann-Petersen

Changing the ftp.plist file is a great solution. Thanks for that. I was already trying to create a ftpd.conf file in /etc to get ftpd working correctly. However, I wasn't having any immediate success. In any case, it seems like it was an oversight by Apple to only create one security update for both OS X 10.4.9 client and server. They are not equal. I hope nothing else was taken under as well.

Reply

Answer 5

Apr 21, 2007 4:34 PM in response to Joakim Hartmann-Petersen

Thanks, you're a lifesaver. I've been wrestling for the past couple of hours with this issue. I was migrating from Server 10.3.9 to Server 10.4.x, and I applied all the updates to get it to 10.4.9 before I noticed the FTP issue.

I thought it was just me. Fortunately I have more than one 10.4.x server handy; the other two are running 10.4.8.

Now that I think about it though, this is the second time to my knowledge that Apple has broken FTP. The last time was back in the 10.2 days, and it broke file sharing via FTP on 10.2.x client computers.

Anyway, thanks a bunch for posting that message. I've adjusted the ftp.plist to use xftp again, and all is well.

--
Bryan VInes

Lots of Macs

Reply

Answer 6

Apr 21, 2007 5:30 PM in response to Joakim Hartmann-Petersen

That's great - I can't thank you enough.

I wish I fully understood both the problem and the fix, but until I have to time study and work it out, I'm very happy with the band-aid.

-Bryan

Reply

Answer 7

Apr 22, 2007 3:57 PM in response to Zach Marano

I don't consider editing the plist file a RESOLUTION of this topic.

- For one, while it does solve the root access problem, it still does not get users back into their Home Directory only. The Server Admin settings are still ignored.

Apple, me and my 150 paying web hosting customers are hoping you fix this soon.

Thanks,
Daniel Sofer
Hermosawave Internet

Reply

Answer 8

webjedi

Level 1

0 points

Apr 22, 2007 6:17 PM in response to R Bryan Harrison

Yes, this is a disaster. All the share points listed are poof gone. I can only suggest SFTP to folks now since this functionality is busted, which is NOT good.

I would have expected an update to the Admin Tool for the server side if they were making such a drastic change.

Personally, I'm seeing, that I will now despise the iPhone due to what it's done to QA resources for OS X. This I think is the result. (great and an October release of Leopard.. psssh)

Anyhow, I have yet to try the PLIST fix, but I think trolling through the man page for the new FTP server to fix this issue. I'll keep you all posted.

Reply

Answer 9

webjedi

Level 1

0 points

Apr 22, 2007 7:17 PM in response to webjedi

Yeah, there isn't a "resolution" here.

I think we're looking for why the ftpd is not accessing and utilizing files found here:

/Library/FTPServer/Configuration

ftpaccess is one of the big ones, since this is what defines what a major bit of the functionality of the ftpd server will follow, including permissions.

According to the tnftpd man page, it's looking for this:

FILES
/etc/ftpchroot List of normal users whose root directory should be
changed via chroot(2).
/etc/ftpd.conf Configure file conversions and other settings.
/etc/ftpusers List of unwelcome/restricted users.
/etc/ftpwelcome Welcome notice before login.
/etc/motd Welcome notice after login.
/etc/nologin If it exists, displayed and access is refused.
/var/run/ftpd.pids-CLASS
State file of logged-in processes for the tnftpd class
`CLASS'.
/var/run/utmp List of logged-in users on the system.
/var/log/wtmp Login history database.

None of which exist after the update. Apple, what hath though wrought?

Reply

Answer 10

Apr 22, 2007 9:55 PM in response to Daniel Sofer

While we can debate the semantics of the word "resolved" (and I agree Apple has resolved nothing), I do want to note one more time that with Joakim's backup "ftp.plist" and some fussing, I've been able to restore all the previous functionality of my configuration, including appropriate access to home directories and sharepoints.

The solutions I've found are inelegant enough to make me wince, but I'll describe them in detail if anyone cares. Of course, Server Admin's interface to WuFTP makes me wince as well - it's nearly as bad as its godawful DNS interface. And as so many people have noted over the years, WuFTP itself is a bit of a dog.

This particular mess is certainly infuriating, but given Apple's stated priorities with regard to the iPhone and OS X, I'll be pleasantly surprised if we see a fix anytime soon. In the meantime, I'm grateful for everyone's help as I have neither the time nor the inclination to replace WuFTP with a more elegant solution right now.

In general, I find OS X Server's evolution toward something that might actually live up to its hype to be extremely slow, it's documentation to be so shallow as to be useless, and both the rate at which bugs are fixed and the frequency with which updates introduce new ones to be unfortunate... At best, it's always struck me as an adequate implementation of a great idea. I've been using it since its initial release, and have always though it a real shame Apple doesn't assign it enough resources for it to fulfill its potential.

I often feel vaguely as though I'm having a long-term affair with a sweet, beautiful drunk. (Of course when I consider the alternatives, I have to concede that it's better than the norm, which seems more like being involved with plug-ugly violent drunk.)

-Bryan

Reply

Answer 11

Apr 22, 2007 10:04 PM in response to Daniel Sofer

Well, It works here. Did you just change the program name??
or did you revert to the original ftp.plist. (hint: there is more changes than just the name)
I have just tried changing the SA->FTP-> Advanced and tried all 3 options.
FTP root and share points: FTP user started ind home dir. CD/ gave shares (FTP root is below one of the shares)
Home Dir With Shares: FTP Users started in home dir. CD / still gave home dir and There was the link to FTPRoot where my shares was.
Home Dir only: Ftp user started in home dir and there was a FTPRoot link but it didnt point anywhere (was left over from the previous test)

I cant see, whats missing.
Please clarify

Reply

Answer 12

Apr 23, 2007 8:57 AM in response to Joakim Hartmann-Petersen

Jokaim, Bryan:
Thanks for the responses.
I replaced my ftp.plist with yours and now the ftp won't start from the Server Admin, yet an ftp service is running.

I'll take another look soon.

Daniel

Reply

Answer 13

Apr 23, 2007 9:07 AM in response to Daniel Sofer

Hi,
Did you restart the server after the change?
The FTP server only disappeard after a restart

What greeting did the ftp server give you (tnftpd?)

bye,

Reply

Answer 14

Apr 23, 2007 11:03 AM in response to Joakim Hartmann-Petersen

Hi Joakim:
Yes after I restarted, the mystery ftp server disappeared 🙂

After poking around with many iterations of the plist file, I was able to get the FTP server working properly again.

I think my problems were:
-- Copying your plist from the discussions page and pasting directly into the terminal -- when I pasted into BBEdit first , removed your comment line, reflowed and saved, and then pasted into terminal>pico -- it was happier.
-- Trying to start the server with the Server Admin instead of rebooting the entire server.

Okay, I can exhale now! Thanks for your help.

Daniel Sofer
Hermosawave Internet

Reply

Answer 15

Apr 25, 2007 5:51 AM in response to webjedi

Well, after I tested this, I can tell you what happened.

The 2007-004 Security Update replaced the ftp.plist in /System/Library/LaunchDaemons from Mac OS X server with the version from Mac OS X Client. There is no check in the installer if the update installs on client or Server, and it is the same update for both.

But, of course, FTP services on client and server are very different. With the client ftp.plist from client on the server, it is ftpd which is launched, not xftpd.

The solution is to replace the ftp.plist with a previous version from Mac OS X Server. If you don't have it, here is its content :

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.apple.xftpd</string>
<key>Program</key>
<string>/usr/libexec/xftpd</string>
<key>ProgramArguments</key>
<array>
<string>xftpd</string>
<string>-a</string>
</array>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>SockPassive</key>
<true/>
<key>SockServiceName</key>
<string>ftp</string>
<key>SockType</key>
<string>SOCK_STREAM</string>
</dict>
</dict>
<key>inetdCompatibility</key>
<dict>
<key>Wait</key>
<false/>
</dict>
</dict>
</plist>

Restart the server (relaunching the FTP service is not enough), and you should be up and running.

MacBook Pro 1,8 GHz Core Duo Mac OS X (10.4.9)

Reply