ftp: can create folder but not access

[timypcr]

I’m having trouble setting up an ftp account. I create a dataset dedicated for FTP, a user “ftpuser1” and a home directory for that user (chroot enabled)


FreeNAS-9.10-STABLE (see screen shots)


I open FileZilla and connect using the FreeNAS internal IP (no NAT or anything like that)

I am able to login no problem and also create a directory, but I am not able to access any folder I create, when trying to do so “Failed to retrieve directory listing”


FileZilla log


Status: Connecting to 192.168.4.239:21...

Status: Connection established, waiting for welcome message...

Status: Insecure server, it does not support FTP over TLS.

Status: Logged in

Status: Retrieving directory listing...

Status: Directory listing of "/" successful

Status: Creating directory '/test'...

Status: Retrieving directory listing of "/test"...

Command: CWD test

Response: 550 test: No such file or directory

Error: Failed to retrieve directory listing



(I’ve tried this in an alternative ftp client such as CarotDAV but the results are the same)



Any suggestions would be greatly appreciated.

tim

 

[Robert Trevellyan]

Any suggestions would be greatly appreciated.

Enable SSH and use SFTP instead.

 

[timypcr]

Yes ssh works without issue, i was planing on setting up ftp/tls to secure the encryption and ran into the issue I posted about. I suppose for outside access sftp vs ftps will serve the same purpose in regards to encrypting the traffic, just want to know whats wrong with my ftp setup as I am still learning freenas.

 

[Robert Trevellyan]

I understand the need to know, I just see no point in investing effort in solving issues with FTP when SFTP is better in every way.

 

[timypcr]

So what's the best way to chroot ssh users with sftp-only access and restrict them to there home folder while still allowing administrators to login over ssh and still use a shell? Should non-admin user accounts be running in a jail?

 

[SweetAndLow]

Who owns the /mnt/ypcr/ftp directory and what are its permissions? Looks like you are missing read permissions on that directory for your user.

 

[timypcr]

/mnt/ypcr/ftp is owned by root (screen shot attached) could this be why sub folder access is not working after creation? I wanted to have multiple users locked into there home folder, so would I need to create an ftp-only group and assign it full permissions? I have tried doing this on the command line using the ftpuser1 group that was created when the ftpuser1 account was setup.

chown -R ftpuser1:ftpuser1 /mnt/ypcr/ftp/ftpuser1

what would you suggest to get each account working only within it's own home folder SweetAndLo.

tim

 

[diedrichg]

Create a dataset for ftp users. Create a nested dataset within the ftp dataset for each user. Set their home folder as that nested dataset. Set them as the owner. That will lock them in the dataset so they can't wander around the rest of the system.

 

[timypcr]

I've also tried creating a group ftp-only (full access) and adding ftpuser1 to it, same issue. diedrichg I'll give your suggestion a go next. thanks eveyone

 

[diedrichg]

This works. Give it a try.

User settings

FTP main dataset owner /mnt/dvgmar/guests

Nested dataset for the FTP user /mnt/dvgmar/guests/maurice

 

[SweetAndLow]

When you first login over ftp you are in the directory that you specify as the ftp root under the ftp service settings. I think you are just in the wrong directory when you are doing stuff. I think for some of your tests you are in the root and others you are in the users directory. The screen shot where you showed that /mnt/ycpr/ftp is set for 777 permissions will allow you to ftp in and run a mkdir and cd into that directory. If you say it doesn't work that is because you are in the wrong directory.

But you probably don't want all users to use the same directory do you? So you should change the ftp data set back to root:wheel and 755 then create user directories for everyone with permissions of 700. This will prevent people from writing to root of the ftp and only allow them to write to their directory and not see what other people have in their directories.

 

[Robert Trevellyan]

what's the best way to chroot ssh users with sftp-only access and restrict them to there home folder while still allowing administrators to login over ssh and still use a shell?

This looks useful: https://en.wikibooks.org/wiki/OpenSSH/Cookbook/SFTP