Unsolved
This post is more than 5 years old
107 Posts
0
3810
FTP settings do not have an affect / FTP troubles
I still have trouble with the Isilon FTP service. Before I do changes at customer side I test it with a Virtual Isilon cluster.
I want all users to be jailed inside their home directory when they connect via ftp. I do not want them to change to other directories. According to my understanding there is the option "chroot-local-mode" (and "chroot-exception-list").
But there is no difference if I switch it on/off or put some users in the exception list. All local users can view and edit all other user directories and of course the system directories above ifs (etc, ...) too.
I tried the hints from 000089716 and 000090006 but nothing worked for me. Here is the configuration:
test-1# isi ftp list
accept-timeout 60
allow-anon-access NO
allow-anon-upload NO
allow-dirlists NO
allow-downloads YES
allow-local-access YES
allow-writes YES
always-chdir-homedir NO
anon-chown-username root
anon-root-path /ifs/home/ftp
anon-umask 077
ascii-mode off
connect-timeout 60
data-timeout 300
dirlist-localtime NO
dirlist-names hide
file-create-perm 0666
local-root-path local user home directory
local-umask 077
server-to-server NO
session-timeout 300
user-config-dir
denied-user-list (none)
limit-anon-passwords NO
anon-password-list (disabled)
chroot-local-mode All local users chrooted; exception list inactive
chroot-exception-list (none)
What is going wrong there?
I tried some standard FreeBSD commands related to FTP configuration but nothing seems to be working at the Isilon cluster. Of course, after every change I restarted the ftp service.
And an other problem:
What do I have to change if I want to have /ifs/data as the standard home directory for some users? Through the WebUI I cannot use this path as the home directory for the local users. There appears the error "Error #1: The requested home directory (/ifs/data/) is in use by someone else."
Is there a detailed documentation which ftp commands and possibilities are supported by Isilon and which not? The Command Reference and the Administration Guide is not helpful.
And - if If disable the FTP service - all local users can still connect via FTP and see all files. ?!
Go.Y
287 Posts
0
April 8th, 2014 02:00
For your first question, test following settings
always-chdir-homedir Yes
local-root-path local user home directory
chroot-local-mode All local users chrooted; exception list inactive.
For you second question: setting is same as above.
always-chdir-homedir Yes
local-root-path local user home directory
chroot-local-mode All local users chrooted; exception list inactive.
for user you want to redirect to /ifs/data do following in addition
・delete the home directory and make a symbolic link to /ifs/data
For example, if you want to make user: test2 and his home directory is /ifs/home/test2
rm -rf /ifs/home/test2
ln -s /ifs/data /ifs/home/test2
I hope this will work for you.
philippspohr
107 Posts
0
April 10th, 2014 07:00
Hi go.y,
thank you for the workaround with symbolic links. That could be one solution. But I think this is not the final solution.
Yesterday I worked at a Isilon cluster at which a lot of local user home directories pointed to /ifs/data without symbolic links. I do not know how it is made but I checked it in the WebUI and there the home directory paths /ifs/data was configured.
Does anybody know how it was made? Every time I try to change the home directory path from /ifs/home/username to /ifs/data appears the error I mentioned above. And I got the same error if I try to change the home directory path through CLI.
I think there must be an other solution for that.
Peter_Sero
1.2K Posts
0
April 10th, 2014 08:00
Philipp:
set the home directory naming to "/ifs/data" (no %U) for the LOCAL provider,
then create users at the LOCAL provider,
just leave the home dir blank: it will be set to /ifs/data
(maybe choose a less generic path other than /ifs/data to prevent any collisions)
hth
-- Peter
philippspohr
107 Posts
1
April 15th, 2014 07:00
I found a solution to change the home directory despite of the error. The solution is the force parameter (-f) at the CLI command. The behavior is explained in the KB article https://support.emc.com/kb/88936 for new users. But it also works with existing users and directories.
I think this is the right solution for my problem and better than using symbolic links.