ProFTPd | limit -> AllowGroup | User/Group names rather UID/GID numbers

I

imax

New member
Joined
Jan 23, 2011
Messages
3
Hi.

I have difficulty in setting AllowGroup directive in limit context. My config:


/etc/proftpd.conf

Code: 
ServerName		"ProFTPd"
ServerType          	standalone

Port			21
PassivePorts		35000 35999
UseReverseDNS		off
TimesGMT		off
TimeoutLogin		120
TimeoutIdle		600
TimeoutNoTransfer	900
TimeoutStalled		3600

ScoreboardFile			/var/run/proftpd/proftpd.pid

TransferLog		/var/log/proftpd/xferlog.legacy
LogFormat		default "%h %l %u %t \"%r\" %s %b"
LogFormat		auth    "%v [%P] %h %t \"%r\" %s"
LogFormat		write   "%h %l %u %t \"%r\" %s %b"

#DON'T modify this log format.  Its used by DirectAdmin to determine user usage
LogFormat		userlog "%u %b %m"
ExtendedLog		/var/log/proftpd/188.40.117.200.bytes WRITE,READ userlog

AuthUserFile                    /etc/proftpd.passwd
DefaultServer		on
AuthOrder mod_auth_file.c

#AuthPAM off

<IfModule mod_tls.c>
	TLSEngine on
	TLSLog /var/log/proftpd/proftpd.tls.log
	TLSProtocol TLSv1
	TLSVerifyClient off
	TLSRequired off
	
	#Certificates
	TLSRSACertificateFile /etc/exim.cert
	TLSRSACertificateKeyFile /etc/exim.key
	#TLSCACertificateFile /etc/ftpd/root.cert.pem

	TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
</IfModule>

<Global>
	PassivePorts            35000 35999
	DeferWelcome		on

	RequireValidShell	no

	DefaultRoot		~
	DirFakeUser on ftp
	DirFakeGroup on ftp

	User			ftp
	Group			ftp
	#UserAlias		anonymous ftp

	AllowStoreRestart	on
	AllowRetrieveRestart	on

	ListOptions		-a

	Umask			022
	DisplayLogin		welcome.msg
	DisplayChdir		readme
	AllowOverwrite		yes
	IdentLookups		off
	ExtendedLog		/var/log/proftpd/access.log WRITE,READ write
	ExtendedLog		/var/log/proftpd/auth.log AUTH auth
	
	#
	# Paranoia logging level....
	#
	#ExtendedLog    /var/log/proftpd/paranoid.log ALL default

<Limit LOGIN>
DenyGroup 113
DenyGroup imax 
</Limit>

</Global>

Include /etc/proftpd.vhosts.conf

/etc/proftpd.vhosts.conf is empty

explanation of the problem:

Code: 
<Limit LOGIN>
DenyGroup 113 # 113 is GID of admin's group, this is working (I can't login)
DenyGroup imax # existing group name, not working (I can login)
</Limit>

I know I can use GID's, but I want to know why I can't use names?

Thanks in advance.
 
DenyGroup specifies a group-expression that is specifically denied within the context of the <Limit> block it is applied to. group-expression has the same format as that used in DefaultRoot, in that it should contain a comma separated list of groups or "not" groups (by prefixing a group name with the `!' character) that are to be denied access to the block.
Click to expand...

http://proftpd.org/docs/directives/linked/config_ref_DenyGroup.html
 
GIDs are not allowed to be used. Are you a member of imax group? In your example, members of group imax are not allowed to login, but others are allowed.
 
You must log in or register to reply here.
Back
Top