[BlueOnyx:23082] Re: CushyCMS and ProFTPD

Ken Hohhof khohhof at kwom.com
Fri Aug 2 13:45:17 -05 2019 

This is probably a question for Michael.

I see on the server files that seem to be saved copies of the old
proftpd.conf, prior to yum updates:

-rw-------   1 root root      6155 Nov 16  2014 proftpd.conf.pre-1.3.5
-rw-------   1 root root     11618 Jul 24 06:00 proftpd.conf.pre-1.3.5e

The first one from 2014 does not have any of the entries that Tobias
mentions.  But the second one from a couple weeks ago has a bunch of entries
like this:

<VirtualHost 69.49.197.198>
                DefaultRoot             / wheel
                DefaultRoot             / admin-users
                DefaultRoot             ~/../../.. site-adm
                DefaultRoot             ~ !site-adm
                AllowOverwrite  on
                DefaultChdir    /web
                DisplayLogin    .ftphelp
</VirtualHost>

<VirtualHost 69.49.197.188>
                DefaultRoot             / wheel
                DefaultRoot             / admin-users
                DefaultRoot             ~/../../.. site-adm
                DefaultRoot             ~ !site-adm
                AllowOverwrite  on
                DefaultChdir    /web
                DisplayLogin    .ftphelp
</VirtualHost>

Currently my proftpd.conf has no VirtualHost containers at all.  It looks
like they appeared in 2014, and went away again in 2019.

I had RaQ, RaQ3, RaQ550, BlueQuartz and now BlueOnyx.  Through those 20
years, I always thought ftp users would have to cd to the /web directory.  I
think for a brief period I modified the DefaultRoot so siteadmins would
start out in the site web directory rather than their home directory, but
stopped that, I think because it would get blown away after updates.

So did something change in 2014?  I'm not sure if it was DefaultChdir as
mentioned by Tobias, or DefaultRoot, or both?  And did this get broken in
the recent update?  Or is it just my server?  If those VirtualHost entries
are supposed to be there, is there a script I can run to get them back?

-----Original Message-----
From: Blueonyx <blueonyx-bounces at mail.blueonyx.it> On Behalf Of Tobias
Gablunsky
Sent: Friday, August 2, 2019 9:41 AM
To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
Subject: [BlueOnyx:23078] Re: CushyCMS and ProFTPD

Hi Ken,

have you checked if the entra
"DefaultChdir            /web"
is still included in your /etc/proftpd.conf (resp. /etc/proftpds.conf)?

This is the entry needed for changing directory to /web by default. Maybe
this has changed through the update of proftpd?

Regards,
Tobias


> -----Original Message-----
> From: Blueonyx [mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of 
> Ken Hohhof
> Sent: Friday, August 02, 2019 2:48 PM
> To: 'BlueOnyx General Mailing List' <blueonyx at mail.blueonyx.it>
> Subject: [BlueOnyx:23076] Re: CushyCMS and ProFTPD
> 
> It sounds like there was a genuine vulnerability that was fixed, so 
> I'm reluctant to roll back the update in order to accommodate one
customer.
> 
> Yesterday I signed up for a free Cushy account so I could reproduce 
> and troubleshoot the problem.  To my surprise ... no problem!
> 
> Here's my best guess, I think the customer's web designer who set up 
> the CMS probably used / as the path, while I used /web.  And perhaps 
> this was causing Cushy to explore directories not owned by the 
> siteadmin, like maybe php.d.
> 
> That still leaves the mystery of what changed in ProFTPd, because this 
> was working since 2016.  But I'm hoping the customer does not have the 
> path set to  /web, and that changing it will resolve the problem for 
> her.  (Note that I suspect the web designer has a branded pro account 
> from Cushy and the customer is just enrolled as an editor of her site 
> and therefore can't see or change the configuration.)
> 
> Web designers can be difficult to deal with.  They are artists!  And 
> hosting is just a commodity, low skill work by vendor scum who can be 
> replaced with the snap of a finger.
> 
> -----Original Message-----
> From: Blueonyx <blueonyx-bounces at mail.blueonyx.it> On Behalf Of 
> Michael Stauber
> Sent: Thursday, August 1, 2019 1:09 PM
> To: blueonyx at mail.blueonyx.it
> Subject: [BlueOnyx:23063] Re: CushyCMS and ProFTPD
> 
> Hi Ken,
> 
> > Since the problem started with the ProFTPd bugfix, I'm starting to 
> > wonder if CushyCMS uses the site cpfr and site cpto commands.  That 
> > seems unlikely, but I can't know for sure without signing up for a 
> > CushyCMS account myself to try it.  The only other explanation I can 
> > think of is that the bugfix had some unanticipated consequences or
> collateral damage.
> 
> Yeah, it sure is related to the update. The ProFTPd we're using now is 
> a "release candidate" and I also observed that it does a few things 
> slightly different than the last stable version that we were using. 
> The code maturity seems to have dropped a notch or two.
> 
> I don't have any other or better solution at the moment, sorry. But 
> perhaps you might temporarily go back to the last ProFTPd version that 
> worked for you?
> 
> If so, please do this:
> 
> rpm -e --nodeps proftpd
> rm /etc/proftpd.conf
> rm /etc/proftpds.conf
> 
> That removes ProFTPd. Then you can grab the last good one. As I don't 
> know which version of BlueOnyx you're using I'll be pointing you to 
> the RPMs of the individual BlueOnyx versions:
> 
> 5209R:
> 
> http://updates.blueonyx.it/pub/BlueOnyx/5200R/el7/blueonyx/x86_64/RPMS
> /pro
> ft
> pd-1.3.5e-1BX7.x86_64.rpm
> 
> 5208R:
> 
> http://updates.blueonyx.it/pub/BlueOnyx/5200R/el6/blueonyx/x86_64/RPMS
> /pro
> ft
> pd-1.3.5-1BX5.x86_64.rpm
> 
> 5207R:
> 
> http://updates.blueonyx.it/pub/BlueOnyx/5200R/el6/blueonyx/i386/RPMS/p
> roft
> pd
> -1.3.5-1BX5.i386.rpm
> 
> Install the RPM of ProFTPd applicable to your BlueOnyx version this way:
> 
> rpm -hUv <URL>
> 
> Then restart CCEd and xinetd:
> 
> /usr/sausalito/sbin/cced.init restart
> service xinetd restart
> 
> To prevent YUM from updating ProFTPd again please edit /etc/yum.conf 
> and find the lines that look like this:
> 
> ## start-yum-gui
> exclude=
> ## stop-yum-gui
> 
> Change it to this:
> 
> ## start-yum-gui
> exclude=proftpd
> ## stop-yum-gui
> 
> You actually can edit that via the GUI, too. It's under "Software Updates"
> /
> "YUM Updater" and in the "Settings" tab there is the form field 
> "Exclude these RPMS". Instead of editing /etc/yum.conf you can 
> directly write "proftpd" (without quotes) into that formfield to have 
> it excluded from YUM Updates.
> 
> --
> With best regards
> 
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
> 
> 
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx


_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list