Re: Proposed modification to ftpd
From: Peter Ross (petros@pps.de)
Date: 01/13/01
- Next message: Dru: "opinions on password policies"
- Previous message: James Wyatt: "Re: Majordomo lists security"
- Maybe in reply to: Roman Shterenzon: "Re: Proposed modification to ftpd"
- Next in thread: Fernando Schapachnik: "Re: Proposed modification to ftpd"
- Reply: Fernando Schapachnik: "Re: Proposed modification to ftpd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 13 Jan 2001 18:27:27 +0100 (MET) From: Peter Ross <petros@pps.de> To: security@freebsd.org
Hello,
next week I have to change a ftp server.
I read the thread starting with the message from
Fernando Schapachnik <fpscha@ns1.via-net-works.net.ar> on Fri, 29 Dec 2000
13:29:45 -0300 (ART)
> I just submitted PR bin/23944, which contains a patch against
> 4.2R ftpd to add the following funcionality to chrooted users: The
> user's home dir is splitted by the first '/./'. The first part is
> used to chroot, and the second to chdir (eg,
> '/usr/local/www/data/site/./htdocs', means chroot to
> /usr/local/www/data/site, and then chdir to htdocs).
>
> The reason I consider it (some how) security related is that
> it is meant to simplify migration from (usually
> remote-root-exploitable) wu-ftpd, which uses the same sintax.
I want to migrate (for security reasons).
I wish that the user doesn't see /etc or /bin after login, because some of them
using scripts to receive data. These scripts could have instructions like "mput
*". There are more then one or two users and I don't like monday telephon calls
"It doesn't work". Some users are confused by smallest changes..
I created a home directory owned by the FTP account and used /etc/ftpchroot.
Fortunately ls is integrated part of ftpd - no bin directory necessary. Also
there's no etc. According to the man page I only see uids (no names because
there is no passwd database) but I think that isn't a problem. This moment I
can't see other problems. It seems to work.
ftpd(8)
> ~ftp Make the home directory owned by ``root'' and unwritable
> by anyone.
Hmmh. Now the home directory is 775 (a different user with a same gid moves the
files in our network or from it)
Would you prefer my way to migrate wu-ftpd -> ftpd rather than implement the
"*/./*" syntax? Any risks?
Regards
Peter Ross
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Dru: "opinions on password policies"
- Previous message: James Wyatt: "Re: Majordomo lists security"
- Maybe in reply to: Roman Shterenzon: "Re: Proposed modification to ftpd"
- Next in thread: Fernando Schapachnik: "Re: Proposed modification to ftpd"
- Reply: Fernando Schapachnik: "Re: Proposed modification to ftpd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
