[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Chroot or not for vsftpd



> Hi,
>
> I am planning to install Vsftpd (vsftpd-1.1.0-3.i386.rpm) for SuSE 7.3
> running SuSE compiled kernel 2.2.19. which will allow anonymous
uploads
> also

I would do it a littlebit different:

Compile vsftp for your own and don't use rpm since this is not written
for 7.3 (use it on 7.3 as well).
Get the Source from http://vsftpd.beasts.org/ (v 1.1.2!).
VSFTP will the be compiled for your cpu and run faster and it is the
newest version (1.1.0 is not!).

Then:

tar xvfz vsftpd-1.1.2.tar.gz
cd vsftpd-1.1.2
make
read the file INSTALL for needed settings in your system
Change the config files to your desire.
There is a fine documentation in the package!

Put the chroot users in vsftpd.chroot_list and set
chroot_list_enable=YES , chroot_list_file=/etc/vsftpd.chroot_list!
The rest vsftp will do for you.

This is secure enough for me.

> The machine has private IP and will be behind SuSE ftp-proxy. The
> default looks it needs to be run from inetd /xinetd. Here is what I
have
> in mind
>
> a) run it as standalone

Why not standalone?

Standalone means to run it as root, because processes bind to ports
<1024 must be run as root.
Use xinetd to manage it.

> b) use Marc Heuse's compartment to run it in a chroot environment

Compardment is a fine thing, but I don't know, if it runs with vsftp,
since the daemon itself provides a chrooted environment for each user
(read the man-pages of that project).
If you run standalone you have to use compardment, but I would prefer
running it from xinetd.

If you plan to chroot the anonymous user you must have him in the same
subdir like the users you plan to give ftp-access.
You can even use vsftp with virtual users, so you don't need /etc/passwd
and /etc/shadow.
This is more secure.

> c) use the ftpdir package of SuSE which is also in the chrooted
> environment where vsftd runs
>
> First of all is this overkill ? If not then I do not understand the
> following
>
> 1) The ftpdir package has passwd file (/usr/local/ftp/etc)
>
> root:x:0:0:Super User:/root:/bin/bash
>
> My understanding is it is now chrooted to "/usr/local/ftp" and since
> there is no "bash" under the bin directory what is the reasoning
behind
> it. Why not use "false" and provide "false" executable under the bin
> directory ?

FTP-Daemons use directory with rights not set to the user ftp itself
(read the INSTALL file of vsftp for that reason!).

> 2) Why user root and not "ftp" for instance

This has security purposes.
You can create there a subdir and make it owned by ftp, e.g. incoming
(chmod 755) and make another e.g. Donload owned by a real user as
download (chmod 755).
This allows only the real user to upload files to Download, incoming can
be uploaded by ftp-user (I have a similar config).

Philippe




-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here