I've recently factory reset a RN316 on OS 6.5.1 and I've enabled FTP access on OS 6.5.1 using this with Authentication Mode as 'user', however it does not set location of the FTP user home folder correctly, instead it gives access to ALL users home folders on the NAS.
I log in via FTP with a standard 'user' u/p, goes to /home/ directory by default, and lists of all the user home folders. It should only go to the users' login directory, not /home/ for all users,
Username: Test
Password: Test
using an FTP client (FileZilla), it logs into the /home/ and lists ALL the users directories as sub-folders + files & subfolders therein...
all home user folders are listed as 'drwxr-xr-x 1 admin admin', so if FTP'ing as admin accessing then would make sense, but I'm using a non-admin user FTP login (its just a plain user) and I have access to all the other users folders?
I've looked for the FTP sertings in the Home Folders setion as per here under the "Access" table (ie you can Enable FTP on Home Folders, but there are NO settings on how FTP behaves in this section)
Am I missing something here?
ps I've also enabled 'Enable FTP Server Log Transfer' yet it does not log anything...
Has anyone used TFTP Server - can it be used with Home Fo...
Has anyone used TFTP Server - can it be used with Home Folders? is it configurable (IP black/white lists, retry attempt count, link IP per user account, etc)
ProFTPD bug with Home Folder Access for all users....
I found the issue with ProFTPD giving full access to ALL the user home folders....
This is from a factory reset of OS 6.5.1 and by default (when FTP is enabled), ProFTPD has the /etc/frontview/proftpd/User.conf set as follows:
DefaultRoot /var/ftp
RequireValidShell off
Include /etc/frontview/proftpd/Shares.conf
It should have been (to give the logged on user only their home folder access):
DefaultRoot ~
However, FTP access on normal Shares is broken when Home Folder FTP access is enabled...either way with DefaultRoot ~ and DefaultRoot /var/ftp (ie you can't access Home Folder AND normal Shares when FTP is enabled for both, its either 1 or the other and you have to disable Home Folder FTP access to access Normal Share FTP access) - this is not a very good implementation of FTP for OS 6.5.1 😞
(I haven't found a workaround/fix for this yet, since Idk how Shares.conf is managed for the normal shares, and why the Home (DefaultRoot) would not allow other shares when enabled through the UI...)
There is also a possible issue with changing FTP settings (enabled/disabling FTP shares, etc.), you have to turn off/on the FTP service from the System -> Seting UI to update the settings....if this is the case, its a big pain in the *** when making changes and not known, otherwise an inconvineince and poor way to manage the UI FTP settings.
Re: ProFTPD bug with Home Folder Access for all users....SFTP Vs FTPS, SSH-TLS...
Is there any documentation on the way Netgear ReadyNAS OS 6.5.1 FTP works?
I wanted to clarify, specifically, of FTPS = FTP via SSL-TLS?
I also wanted to clarify if that is different to SFTP?
I've found the following circumstances, and just wanted some clarity on it:
1) on the NAS-FrontView, I've enabled FTP with 'Enabled Forced FTPS'
2) I've enabled FTP access on the Home Folders
3) I then use Filezilla, with a non admin username and it logs in correctly to the correct folder, working fine, etc.
Status: Connection established, waiting for welcome message... Status: Initializing TLS... Status: Verifying certificate... Status: TLS connection established. Status: Logged in Status: Retrieving directory listing... Status: Directory listing of "/" successful
...and for user account SSH enabled:
Status: Connection established, waiting for welcome message... Status: Initializing TLS... Status: Verifying certificate... Status: TLS connection established. Status: Logged in Status: Retrieving directory listing... Status: Server sent passive reply with unroutable address. Using server address instead. Status: Directory listing of "/" successful
(note: idk where the welcome.msg file should be stored for the NAS, the default proftpd locations don't work :()
4) Using Filezilla with the admin account works fine too - it logs into /home/admin/
5) But then, I then try to mount a share on a client machine using a SFTP mount point, the non-admin username fails and admin username accesses the whole NAS like root access (/)....
6) I enable SSH -> 'allow shell access' on each user account, and the client machine SFTP mount point works fine per user account and in the correct /home/ folder....and I beleive admin SFTP also mounts to /home/admin/
I'm a little confused - FileZilla uses TLS to access the correct home folder without enabling SSH on the user account on the NAS, yet mouting the share on a client machine using SFTP doesn't work until I enable SSH on the user account....admin works either way except it accesses as root via SFTP mount on the client machine...unless I enable SSH on a user account, then admin works like a normal user account (ie /home/admin/ is accessed).
Bug with all users gaining root (/) folder access via SFTP
I've just used a SFTP mounting program (DirectNet Drive) on windows PC and, if the NAS has SSH enabled on a normal user account (with SSH enabled service), and FTP enabled it gives an error when trying to connect, however Filezilla still has access to the users's home folder..using TLS.
But when enabling FTP access on the Home Shares, the user has access to the root (/) folder....
using sftp://<username>:<password>@<ip>:22/
I beleive this is a major security flaw via OS 6.5.1 Frontview how it configures ProFTPD when FTP is enabled and SSH access is enabled for a normal (non-admin) user. It should restrict folder access based on the users home folder only and not allow any user access to root folder (/) ....root user being the exception (since console access is always logged in as root, so admin username should also be restricted to their home folder).
If you are just wanting encrypted FTP then use FTPS with the NAS.
@Retired_Member wrote:
Status: Server sent passive reply with unroutable address. Using server address instead.
This line in particular is a FileZilla feature, not a problem. FTP and FTPS send the IP address of the data channel in the control channel. That creates a problem if the server is behind a NAT router - which you usually need masquerading to fix. But masquerading creates a connectivity problem on the local lan. So FileZilla and some other clients detect that the IP address for the data channel is not routable, and simply substitute the sender IP address from the IP address header instead.
Re: ProFTPD bug with Home Folder Access for all users....SFTP Vs FTPS, SSH-TLS...
When enabling the FTP service with 'forced FTPS', doesn't work unless SSH service is also enabled. When SSH is enabled it doesn't work with non-admin users, unless enabling SSH in the user account. When enabling this, it gives full root access to the whole NAS for non-admin users. This was checked with DirectNet Drive v1.2.5 (Win7+10), both locally and remotely. Enabling SSH shouldn't give root folder access to non-admin users via SFTP?
Re: ProFTPD bug with Home Folder Access for all users....SFTP Vs FTPS, SSH-TLS...
Yes, DirectNet Drive is using SFTP - It mounts the share as a local drive but for some reason giving root (/) folder access to the NAS.
I've just tried SFTP Net Drive Free - same thing, ,mounts the share as a local drive, but that mounts the user home folder correctly....
I suspect its not using TLS, thus the need to enable SSH......but alas with SSH, getting root (/) access for non-admin users 😞 Unfortunately, I need SSH for root/admin access to the NAS, but to not allow normal users access to the whole NAS too as its a security breach.
Re: ProFTPD bug with Home Folder Access for all users....SFTP Vs FTPS, SSH-TLS...
can you also please confirm in 6.5.2 beta
1) when enabling FTP, as a normal user you only get the users content not a /home/ folder?
2) when enabling FTP (enable forced FTPS) with FTP on a share (disabled on the Home Folders), you get that share's content and not the home folder contents?
Re: ProFTPD bug with Home Folder Access for all users....SFTP Vs FTPS, SSH-TLS...
I'll be using SFTP Net Drive because it works correctly.
But if a user decides to use DirectNet Drive, they'll have access to / on the NAS (I need SSH for root/admin access)...Unfortunately I have several users who could work this out and start copying sensative NAS files...I'm guessing I could chmod to stop read-access, but that can get messy 😞 most / folders are drwxr-xr-x 1 root root
Re: ProFTPD bug with Home Folder Access for all users....SFTP Vs FTPS, SSH-TLS...
That particular NAS only has the admin account.
But using the admin account, I only see the public shares - no admin folder and no home folder. I have FTP access disabled for Home (via the share page settings).
Re: ProFTPD bug with Home Folder Access for all users....SFTP Vs FTPS, SSH-TLS...
ok i fixed the home Vs public share access....was the prior setting I changed before, now back to default DefaultRoot /var/ftp, which now brings the /Public Shares + /home/ folder into view, and have fixed the permissions for the home folders (an app issue caused read for all)...
the issue when enabling SSH still gives full access to the NAS for non-admin users (via SFTP), which is a security issue 😞 It should only give access to FTP enabled folders......do you know if this has been addressed in the newer OS beta(s)?
Re: ProFTPD bug with Home Folder Access for all users....SFTP Vs FTPS, SSH-TLS...
@Retired_Member wrote:
the issue when enabling SSH still gives full access to the NAS for non-admin users (via SFTP), which is a security issue 😞 It should only give access to FTP enabled folders......do you know if this has been addressed in the newer OS beta(s)?
It's not in the change logs. Perhaps someone from Netgear can comment - @kohdee ???
Re: ProFTPD bug with Home Folder Access for all users....SFTP Vs FTPS, SSH-TLS...
We don't have SFTP chroots, which is ultimately what you're looking for.
If you mark the checkbox for "rsync only" on users you don't want to allow full access to, it should prevent connections over port 22, addressing your major security concern, then utitlize FTPS.
Also, please request SFTP Chroots in the Idea Exchange.
Re: ProFTPD bug with Home Folder Access for all users....SFTP Vs FTPS, SSH-TLS...
You can apply those changes at your own risk with no support from NETGEAR; or you could feature request it and get full support from NETGEAR. Your choice.
Re: ProFTPD bug with Home Folder Access for all users....SFTP Vs FTPS, SSH-TLS...
The feature request would be to add the option for SFTP Chroots, to make the device more secure; since it doesn't exist, it's a new feature request. Voting just gives the issue more visibility and a proper time schedule, but we see all items in the idea exchange regardless of ranking. Once you put it in the idea exchange, I can approach the appropriate teams to work on such a feature. (It would not only require backend mods, but UI and middleware modifications).
Your security concern only became a concern when you chose to enable SSH. Disabling SSH would be your workaround to your security concern. You allowing SSH Access to your NAS is essentially what you're doing with SFTP; we gave an option to restrict SSH access for non-admin users with the rsync only option (for rsync over SSH access).
Re: ProFTPD bug with Home Folder Access for all users....SFTP Vs FTPS, SSH-TLS...
Thanks. I will follow up with the team on that feature request. I personally enjoy SFTP Chroots on my web servers, and would be awesome to have on ReadyNAS as well.
