FlashFXP Forums - View Single Post - ioftpd as a service

Yil · 04-29-2008, 06:57 PM

LocalService (the default account for system services) is a very highly privileged account on the local machine only, but it's kind of weird in a number of ways and doesn't store it's certificates where all the other user accounts are stored. This is probably because at the time they might be accessed critical system services haven't been started yet.

From the Changelog (where you should look first since v6 has a lot of changes that aren't included in the KB !!!): " I know of no way to do anything related to the LocalSystem account using the default store using any GUI tool. Thus if you have installed ioFTPD as a service and are running it under the default LocalSystem account site makecert/removecert are your friends. For security purposes you probably should be using a limited rights account anyway though...

"To view installed certificates for regular users you can use the certificate snap-in for the Microsoft Management Console as this should be available on W2k+. (start->run, "MMC", File->Add/Remove Snap-In, Add, Certificates, Add, My user account, Finish, Close, OK. As a shortcut you can try from start->run prompt "certmgr.msc" which will allow you to manage the certs for the current user only with fewer steps."

So you can see I now include the "site makecert, site removecert" builtin commands, but as you point out that won't work with real certs. I suppose I should add a "site installcert"

Here are two possible solutions off the top of my head. If you execute "site makecert" it just calls makecert.exe in the ioftpd\system directory to generate and install the cert since MS won't release the code to do that because they want to be annoying. Replace makecert.exe with something that installs your cert and just ignores the command line args. You can probably write a .bat file and use a .bat to .exe compiler I saw somewhere to do that trivially.

The other solution, and the preferred one, is to just run your service using logon as to run as a real user and then you can just install the cert into the user's store using MMC, CertMgr, etc. For a commercial installation I strongly suggest using a limited rights account where you have configured ioFTPD to be a non-admin user with access to only a few directories. In fact, I removed the ioFTPD account from the User's group so by default it didn't have access to most of the disk

Thus not only are you securing the box, but you're solving the SSL cert store issue at the same time!

Oh, and do set the Certificate_Name field in the config file just to be sure, but since you are likely using a HOST= line with a name in it so it this may not be required.

So, ignore the KB entry in this case

04-29-2008, 06:57 PM
Yil Too much time... Join Date: May 2005 Posts: 1,194	LocalService (the default account for system services) is a very highly privileged account on the local machine only, but it's kind of weird in a number of ways and doesn't store it's certificates where all the other user accounts are stored. This is probably because at the time they might be accessed critical system services haven't been started yet. From the Changelog (where you should look first since v6 has a lot of changes that aren't included in the KB !!!): " I know of no way to do anything related to the LocalSystem account using the default store using any GUI tool. Thus if you have installed ioFTPD as a service and are running it under the default LocalSystem account site makecert/removecert are your friends. For security purposes you probably should be using a limited rights account anyway though... "To view installed certificates for regular users you can use the certificate snap-in for the Microsoft Management Console as this should be available on W2k+. (start->run, "MMC", File->Add/Remove Snap-In, Add, Certificates, Add, My user account, Finish, Close, OK. As a shortcut you can try from start->run prompt "certmgr.msc" which will allow you to manage the certs for the current user only with fewer steps." So you can see I now include the "site makecert, site removecert" builtin commands, but as you point out that won't work with real certs. I suppose I should add a "site installcert" Here are two possible solutions off the top of my head. If you execute "site makecert" it just calls makecert.exe in the ioftpd\system directory to generate and install the cert since MS won't release the code to do that because they want to be annoying. Replace makecert.exe with something that installs your cert and just ignores the command line args. You can probably write a .bat file and use a .bat to .exe compiler I saw somewhere to do that trivially. The other solution, and the preferred one, is to just run your service using logon as to run as a real user and then you can just install the cert into the user's store using MMC, CertMgr, etc. For a commercial installation I strongly suggest using a limited rights account where you have configured ioFTPD to be a non-admin user with access to only a few directories. In fact, I removed the ioFTPD account from the User's group so by default it didn't have access to most of the disk Thus not only are you securing the box, but you're solving the SSL cert store issue at the same time! Oh, and do set the Certificate_Name field in the config file just to be sure, but since you are likely using a HOST= line with a name in it so it this may not be required. So, ignore the KB entry in this case