OES FTP won't reach NSS / NCP home directories if sessions are chrooted

  • 7017057
  • 08-Dec-2015
  • 02-Feb-2016

Environment

Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 2
Novell Open Enterprise Server 2015 (OES 2015) Linux

Situation

A system administrator has configured OES FTP (novell-oes-pure-ftpd) to place users in an NCP home directory (usually on, but not limited to, an NSS volume).  This is set in /etc/pure-ftpd/pure-ftpd.conf with:
 
remote_server   yes
EnableRemoteHomeDirectory      yes

 
The configuration has also been set to enforce a chroot jail for all (or some) users so the home directory appears to be the root directory.  This is set in /etc/pure-ftpd/pure-ftpd.conf with either:
 
ChrootEveryone  yes
or
TrustedGID  xxx
(where the user is NOT a member of the GID xxx)
 
After staring (or restarting) pure-ftpd, the user will reach the remote NCP home directory in the first 2 or 3 FTP sessions attempted, but after that they will instead get put and chrooted into their posix home directory, such as /home/user1.

Resolution

Update the novell-oes-pure-ftpd package to with November 2015 public maintenance.  Specifically:
 
For OES 11 SP2:
novell-oes-pure-ftpd 1.0.22-33.52.56
(which also may appear in some views as 1.0.22-33.52.56.1)
 
For OES 2015:
novell-oes-pure-ftpd 1.0.22-33.63
(which also may appear in some views as 1.0.22-33.63.1)

Cause

An earlier fix to remote server access, made public in late 2014, caused a potential side effect in the way novell-oes-pure-ftpd tracks NCP logins.  In a chrooted environment, pure-ftpd might lose track of whether the user in question is already logged into an NCP server or not.  As such, a necessary NCP login operation (nwlogin) might not be performed.
 
Note that a chrooted user will not be able to CD to other remote servers / volumes after their FTP session is underway.  But they should be able to reach a remote home directory initially, since they are placed in the home directory before the chroot is enforced.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.