Comment 1 Jeroen Roovers (RETIRED) 2009-02-12 18:07:31 UTC

1) This isn't a major bug in any way. It even looks like a workaround in the config should be easy to produce.

2) metadata.xml contains publicly available information so why post it here?

3) Your `emerge --info' would have been a lot more useful.

Comment 2 Jeroen Roovers (RETIRED) 2009-02-12 18:08:41 UTC

*** Bug 258735 has been marked as a duplicate of this bug. ***

(In reply to comment #0)
> Recently i made an update of Proftpd from release 1.3.1 to release
> 1.3.2_rc2-r2. Everything worked fine, like emerging, starting & stopping the
> Service. 
> We made a Global Rule to first DenyAll Command and afterwards Allow Specific
> Commands for each Directory on its own.
> After 2 Days a collegue of mine found out that he can´t send a few commands
> like "PWD or RMDIR" but they are Permittet on the given Directory.
> Somehow i don´t know why, this Rule does not work Correctly anymore.
> 
> I´ve created a rule like the following for testing:
> 
> # Disable all ftp commands
> <Limit ALL>
>  DenyAll
> </Limit>
> 
> # Enable cd, ls, rename and pwd
> <Limit CDUP PWD CWD LIST NLST RNFR RNTO TYPE
>   AllowAll
> </Limit>
> 
> # Enable put and mkdir
> <Directory /ftp/test>
>  <Limit STOR STOU RETR DELE PWD RMD>
>  AllowAll
>  </Limit>
> </Directory>
> 
> As you can the Directory /ftp/test allows PWD, RMDIR, DELETE and so on but not
> MKDIR.
> The strange thing no is, if i connect via FTP and i want to create a
> SubDirectory in the /ftp/test directory it is possible. 
> If i send a PWD i get Permission Denied.
> 
> I also tried to change the Config to AllowAll Command at the Beginning and
> afterwards Deny every Command i don´t need for the specific Directory but the
> same Thing here.
> 
> Any help would be greatly appreciatet.
> 
> Thanks in advance and Regards,
> Andreas S.
> 
> Reproducible: Always
> 
> Steps to Reproduce:
> 1. emerge latest Proftpd release 1.3.2_rc2-r2
> 2. setup the Config like i mentioned in the Description before
> 3. run a Test
> 
> Actual Results:  
> Commands which shouldn´t work are working and some that should work stopped
> Working.
> 
> Expected Results:  
> Work correctly and allow only those Commands i Permit.
> 
> Output from: metadata.xml
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
> <pkgmetadata>
> <herd>net-ftp</herd>
> <maintainer>
>         <email>chtekk@gentoo.org</email>
>         <name>Luca Longinotti</name>
> </maintainer>
> <longdescription>ProFTPD grew out of the desire to have a secure and
> configurable FTP server, and out of a significant admiration of the Apache web
> server.</longdescription>
> <use>
>         <flag name='authfile'>Enable support for the auth-file module</flag>
>         <flag name='ban'>Enable support for the mod_ban module</flag>
>         <flag name='case'>Enable support for the mod_case module</flag>
>         <flag name='deflate'>Enable support for the mod_deflate module</flag>
>         <flag name='ifsession'>Enable support for the ifsession module</flag>
>         <flag name='noauthunix'>Disable support for the auth-unix module</flag>
>         <flag name='opensslcrypt'>Enable support for OpenSSL crypto</flag>
>         <flag name='rewrite'>Enable support for the rewrite module</flag>
>         <flag name='shaper'>Enable support for the mod_shaper module</flag>
>         <flag name='sitemisc'>Enable support for the sitemisc module</flag>
>         <flag name='softquota'>Enable support for the quotatab module</flag>
>         <flag name='vroot'>Enable support for the virtual root module</flag>
> </use>
> </pkgmetadata>
> 

Update:

emerge --info:

Portage 2.1.6.4 (default/linux/x86/2008.0/server, gcc-4.1.2, glibc-2.6.1-r0, 2.6.27-gentoo-r8 i686)
=================================================================
System uname: Linux-2.6.27-gentoo-r8-i686-AMD_Opteron-tm-_Processor_252-with-glibc2.0
Timestamp of tree: Thu, 12 Feb 2009 12:45:02 +0000
app-shells/bash:     3.2_p39
dev-lang/python:     2.4.4-r14, 2.5.2-r7
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.63
sys-devel/automake:  1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=opteron -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -march=opteron -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://212.24.114.73/"
LDFLAGS="-Wl,-O1"
LINGUAS="en_GB en_US en"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://212.24.114.73/gentoo-portage"
USE="acl apache2 berkdb bzip2 cli cracklib crypt cups dri fortran gdbm gpm iconv ipv6 isdnlog ldap mailwrapper midi mudflap mysql ncurses nls nptl nptlonly openmp pam pcre perl pppd python readline reflection session snmp spl ssl sysfs tcpd truetype unicode x86 xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_GB en_US en" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Comment 4 Christian Birchinger (RETIRED) 2009-02-25 22:57:04 UTC

This is probably the same as:

https://bugs.gentoo.org/show_bug.cgi?id=238762#c16

Comment 5 Christian Birchinger (RETIRED) 2009-02-25 23:05:26 UTC

At least my bug (https://bugs.gentoo.org/show_bug.cgi?id=238762#c16
) is still present in net-ftp/proftpd-1.3.2 (final)

Are there any Workarounds?

The workaround is to add XPWD to your <Limit> list which allows the PWD command.

This behavior is a result of:

  http://bugs.proftpd.org/show_bug.cgi?id=3077

In this case, proftpd first checks the limits against PWD (which passes).  Then it checks against XPWD (which fails).  It's debatable what the right behavior here is, given the fact that some FTP clients use the X-variant commands and some don't; many admins do not know of the X-variants.

This issue was fixed in ProFTPD 1.3.3rc3 (see solution below) which was released over 18 month ago and hence I close this bug report. Please reopen if there is still a problem. Thanks.

"When parsing <Limit> sections, look for the CDUP, MKD, PWD, and RMD commands
(and their X-variants).  If we see one of the commands, automatically add its
counterpart to the list."
-- http://bugs.proftpd.org/show_bug.cgi?id=3077