NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
FTP 'Home Folder' Directory access for all?
I've recently factory reset a RN316 on OS 6.5.1 and I've enabled FTP access on OS 6.5.1 using this with Authentication Mode as 'user', however it does not set location of the FTP user home folder cor...
Has anyone used TFTP Server - can it be used with Home Folders? is it configurable (IP black/white lists, retry attempt count, link IP per user account, etc)
I found the issue with ProFTPD giving full access to ALL the user home folders....
This is from a factory reset of OS 6.5.1 and by default (when FTP is enabled), ProFTPD has the /etc/frontview/proftpd/User.conf set as follows:
DefaultRoot /var/ftp
RequireValidShell off
Include /etc/frontview/proftpd/Shares.conf
It should have been (to give the logged on user only their home folder access):
DefaultRoot ~
However, FTP access on normal Shares is broken when Home Folder FTP access is enabled...either way with DefaultRoot ~ and DefaultRoot /var/ftp (ie you can't access Home Folder AND normal Shares when FTP is enabled for both, its either 1 or the other and you have to disable Home Folder FTP access to access Normal Share FTP access) - this is not a very good implementation of FTP for OS 6.5.1 :(
(I haven't found a workaround/fix for this yet, since Idk how Shares.conf is managed for the normal shares, and why the Home (DefaultRoot) would not allow other shares when enabled through the UI...)
There is also a possible issue with changing FTP settings (enabled/disabling FTP shares, etc.), you have to turn off/on the FTP service from the System -> Seting UI to update the settings....if this is the case, its a big pain in the *** when making changes and not known, otherwise an inconvineince and poor way to manage the UI FTP settings.
Is there any documentation on the way Netgear ReadyNAS OS 6.5.1 FTP works?
I wanted to clarify, specifically, of FTPS = FTP via SSL-TLS?
I also wanted to clarify if that is different to SFTP?
I've found the following circumstances, and just wanted some clarity on it:
1) on the NAS-FrontView, I've enabled FTP with 'Enabled Forced FTPS'
2) I've enabled FTP access on the Home Folders
3) I then use Filezilla, with a non admin username and it logs in correctly to the correct folder, working fine, etc.
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Status: Directory listing of "/" successful...and for user account SSH enabled:
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Status: Server sent passive reply with unroutable address. Using server address instead.
Status: Directory listing of "/" successful(note: idk where the welcome.msg file should be stored for the NAS, the default proftpd locations don't work :()
4) Using Filezilla with the admin account works fine too - it logs into /home/admin/
5) But then, I then try to mount a share on a client machine using a SFTP mount point, the non-admin username fails and admin username accesses the whole NAS like root access (/)....
6) I enable SSH -> 'allow shell access' on each user account, and the client machine SFTP mount point works fine per user account and in the correct /home/ folder....and I beleive admin SFTP also mounts to /home/admin/
I'm a little confused - FileZilla uses TLS to access the correct home folder without enabling SSH on the user account on the NAS, yet mouting the share on a client machine using SFTP doesn't work until I enable SSH on the user account....admin works either way except it accesses as root via SFTP mount on the client machine...unless I enable SSH on a user account, then admin works like a normal user account (ie /home/admin/ is accessed).
I've just used a SFTP mounting program (DirectNet Drive) on windows PC and, if the NAS has SSH enabled on a normal user account (with SSH enabled service), and FTP enabled it gives an error when trying to connect, however Filezilla still has access to the users's home folder..using TLS.
But when enabling FTP access on the Home Shares, the user has access to the root (/) folder....
using sftp://<username>:<password>@<ip>:22/
I beleive this is a major security flaw via OS 6.5.1 Frontview how it configures ProFTPD when FTP is enabled and SSH access is enabled for a normal (non-admin) user. It should restrict folder access based on the users home folder only and not allow any user access to root folder (/) ....root user being the exception (since console access is always logged in as root, so admin username should also be restricted to their home folder).
Retired_Member wrote:
I wanted to clarify, specifically, of FTPS = FTP via SSL-TLS?
I also wanted to clarify if that is different to SFTP?
FTPS is a different protocol from SFTP. SFTP uses SSH, but FTPS uses SSL. https://en.wikipedia.org/wiki/FTPS
If you are just wanting encrypted FTP then use FTPS with the NAS.
Retired_Member wrote:
Status: Server sent passive reply with unroutable address. Using server address instead.
This line in particular is a FileZilla feature, not a problem. FTP and FTPS send the IP address of the data channel in the control channel. That creates a problem if the server is behind a NAT router - which you usually need masquerading to fix. But masquerading creates a connectivity problem on the local lan. So FileZilla and some other clients detect that the IP address for the data channel is not routable, and simply substitute the sender IP address from the IP address header instead.
When enabling the FTP service with 'forced FTPS', doesn't work unless SSH service is also enabled. When SSH is enabled it doesn't work with non-admin users, unless enabling SSH in the user account. When enabling this, it gives full root access to the whole NAS for non-admin users. This was checked with DirectNet Drive v1.2.5 (Win7+10), both locally and remotely. Enabling SSH shouldn't give root folder access to non-admin users via SFTP?
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
