proftpd ignores HideGroup

Question

I have an interesting problem when hosting a proftpd on a SL6 x86_64. When I compile from source, proftpd executable ignores the HideGroup feature. However, when I install an older version from epel via rpm, this HideGroup feature works just fine. Why does this feature from mod_core get ignored when installed from source/tar, but honored when installing from epel/rpm?

I have a directory called "pictures" in '/var/ftp/' that I don't want it visible to anonymous users. So I have the HideGroup in the conf, but it's ignored! Any ideas why? Here's some debug info.

[robertk@bunsy ~]$ ll /var/ftp/
total 40
drwxrwxr-x. 3 bobby bobby 20480 Jul 27 11:10 pictures
drwxr-xr-x. 7 root    root    4096 Dec 20  2013 pub
d-wx-wx--x  2 ftp     ftp     4096 Dec 20  2013 uploads
-rw-r--r--  1 root    root     224 Dec 20  2013 welcome.msg
-rw-r--r--  1 root    root     224 Dec 20  2013 welcome.msg.rpmnew
-rw-r--r--. 1 root    root    1283 Jul 23 17:18 welcome.msg.rpmsave
[robertk@bunsy ~]$ 

Here's my "configure" from the source.

    [root@bunsy proftpd-1.3.5a]# ./configure --prefix=/opt/proftpd-1.3.5a/ --enable-cap --enable-dso --enable-nls --enable-shadow

And when I run the proftpd in non-daemon verbose mode, it spits this:

    [root@bunsy proftpd-1.3.5a]# /opt/proftpd-1.3.5a/sbin/proftpd -d 10 -n -DANONYMOUS_FTP -c /usr/local/etc/proftpd.conf
    ...
    : in dir_check_full(): path = '/', fullpath = '/var/ftp/'.
    : retrieved GID 45755 for group 'bobby'
    : HideGroup 'root' is not a known/valid group, ignoring
    : dispatching POST_CMD command 'PASS (hidden)' to mod_cap
    : mod_cap/1.1: uid = 14, euid = 14, gid = 50, egid = 50
    : mod_cap/1.1: capabilities '= cap_chown,cap_setgid,cap_setuid,cap_net_bind_service+ep cap_mac_override+ei'
    : dispatching POST_CMD command 'PASS (hidden)' to mod_delay
    : dispatching POST_CMD command 'PASS (hidden)' to mod_log
    : dispatching POST_CMD command 'PASS (hidden)' to mod_ls
    : dispatching POST_CMD command 'PASS (hidden)' to mod_auth
    : RELINQUISH PRIVS at mod_auth.c:1963
    : dispatching POST_CMD command 'PASS (hidden)' to mod_rlimit
    : dispatching POST_CMD command 'PASS (hidden)' to mod_xfer
    : dispatching POST_CMD command 'PASS (hidden)' to mod_core
    : dispatching LOG_CMD command 'PASS (hidden)' to mod_log
    : dispatching LOG_CMD command 'PASS (hidden)' to mod_auth
    : ANON ftp: Login successful.
    : dispatching PRE_CMD command 'SYST' to mod_core
    : dispatching PRE_CMD command 'SYST' to mod_core
    : dispatching CMD command 'SYST' to mod_core
    : dispatching LOG_CMD command 'SYST' to mod_log
    : dispatching PRE_CMD command 'FEAT' to mod_core
    : dispatching PRE_CMD command 'FEAT' to mod_core
    : dispatching CMD command 'FEAT' to mod_core
    : in dir_check_full(): path = '/', fullpath = '/var/ftp/'.
    : HideGroup 'bobby' is not a known/valid group, ignoring
    : dispatching LOG_CMD command 'FEAT' to mod_log
    : dispatching PRE_CMD command 'PWD' to mod_core
    : dispatching PRE_CMD command 'PWD' to mod_core
    : dispatching CMD command 'PWD' to mod_core
    : in dir_check_full(): path = '/', fullpath = '/var/ftp/'.
    : HideGroup 'bobby' is not a known/valid group, ignoring
    : dispatching LOG_CMD command 'PWD' to mod_log
    : dispatching PRE_CMD command 'EPSV' to mod_core
    : dispatching PRE_CMD command 'EPSV' to mod_core
    : dispatching CMD command 'EPSV' to mod_core
    : in dir_check_full(): path = '/', fullpath = '/var/ftp/'.
    : HideGroup 'bobby' is not a known/valid group, ignoring
    : Entering Extended Passive Mode (|||25228|)
    : dispatching LOG_CMD command 'EPSV' to mod_log
    : dispatching PRE_CMD command 'LIST' to mod_core
    : dispatching PRE_CMD command 'LIST' to mod_core
    : dispatching CMD command 'LIST' to mod_ls
    : passive data connection opened - local  : 137.78.60.158:25228
    : passive data connection opened - remote : 128.149.252.79:50071
    : in dir_check_full(): path = '/', fullpath = '/var/ftp/'.
    : HideGroup 'bobby' is not a known/valid group, ignoring
    : in dir_check_full(): path = '/igspush', fullpath = '/var/ftp/igspush'.
    : HideGroup 'bobby' is not a known/valid group, ignoring
    : in dir_check_full(): path = '/pub', fullpath = '/var/ftp/pub'.
    : HideGroup 'bobby' is not a known/valid group, ignoring
    : in dir_check_full(): path = '/uploads', fullpath = '/var/ftp/uploads'.
    : HideGroup 'bobby' is not a known/valid group, ignoring
    : in dir_check_full(): path = '/welcome.msg', fullpath = '/var/ftp/welcome.msg'.
    : HideGroup 'bobby' is not a known/valid group, ignoring
    : in dir_check_full(): path = '/welcome.msg.rpmnew', fullpath = '/var/ftp/welcome.msg.rpmnew'.
    : HideGroup 'bobby' is not a known/valid group, ignoring
    : in dir_check_full(): path = '/welcome.msg.rpmsave', fullpath = '/var/ftp/welcome.msg.rpmsave'.

(do note I've removed the full server name, IP, time, etc. from the verbose output mode to save space for this view)

And here's my config for the ANONYMOUS_FTP block in my proftpd.conf

<Anonymous ~ftp>
    User        ftp
    Group       ftp

    # We want clients to be able to login with "anonymous" as well as "ftp"
    UserAlias   anonymous ftp

    # Do not allow blank "passwords"
    #   AnonRejectPasswords     ^$ | ([ \t\n\r\f])

    # Maximum clients with message
    MaxClients      100  "Sorry, max of users reached (%m) -- try again later"
    MaxClientsPerUser   20  "Sorry, max clients for this user reached (%m) -- try again later"

    # Put the user into /pub right after login
    #DefaultChdir       /pub

    # We want 'welcome.msg' displayed at login, '.message' displayed in
    # each newly chdired directory and tell users to read README* files. 
    #DisplayLogin       /welcome.msg
    DisplayChdir        .message
    #DisplayReadme      README*

    # Cosmetic option to make all files appear to be owned by user "ftp"
    DirFakeUser     on ftp
    DirFakeGroup        on ftp

    # Limit WRITE everywhere in the anonymous chroot
    <Limit WRITE STOR SITE_CHMOD>
        DenyAll
    </Limit>

    # Allow logins (for anonymous) since they are disabled above.
    <Limit LOGIN>
        Order deny,allow
        Deny from .com
        Deny from <some ip>
        Deny from <some ip>
        Allow from all
    </Limit>

    HideNoAccess on
    HideGroup bobby
    HideGroup root
    #HideGroup 45755

    <Limit ALL>
        IgnoreHidden on
    </Limit>

    #ShowSymlinks            off

    # Don't write anonymous accesses to the system wtmp file (good idea!)
    WtmpLog     off

    # Logging for the anonymous transfers
    ExtendedLog /var/log/proftpd/access.log WRITE,READ default
    ExtendedLog /var/log/proftpd/auth.log AUTH auth



</Anonymous>

When I run the proftpd (installed from epel via rpm(yum)) pointing to the same /usr/local/etc/proftpd.conf, things work just fine!

Any ideas where I'm overlooking this problem?

Answer 1

What does:

$ proftpd -V

show for the proftpd installed from epel via rpm(yum)? One of the things emitted by the above command is the list of compile-time options used for that proftpd binary. By comparing your configure command options with the ones used for the epel version, you might find the culprit.