[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] Chroot or not for vsftpd
* Philippe Vogel; <filiaap@xxxxxxxxxx> on 25 Oct, 2002 wrote:
tar xvfz vsftpd-1.1.2.tar.gz
I cannot do these since I do not have anything related to devel
installed on that machine And I want to keep it as close to SuSE
provided RPMS so during an update I am planning to have les headache ( I
allways have the headache after an update anyway)
Lets's see if I can build it in a chroot build environment
read the file INSTALL for needed settings in your system
Change the config files to your desire.
There is a fine documentation in the package!
damn I need more coffee or change to Coke as a variant of caffeine is
needed. Thanks for reminding. And yes it has more documentation then the
SuSE RPMS ( hint for packagers at SuSE)
Compardment is a fine thing, but I don't know, if it runs with vsftp,
since the daemon itself provides a chrooted environment for each user
(read the man-pages of that project).
If you run standalone you have to use compardment, but I would prefer
running it from xinetd.
If you plan to chroot the anonymous user you must have him in the same
subdir like the users you plan to give ftp-access.
You can even use vsftp with virtual users, so you don't need /etc/passwd
This is more secure.
k I am convinced
it. Why not use "false" and provide "false" executable under the bin
FTP-Daemons use directory with rights not set to the user ftp itself
(read the INSTALL file of vsftp for that reason!).
Ok I got it now
2) Why user root and not "ftp" for instance
This has security purposes.
You can create there a subdir and make it owned by ftp, e.g. incoming
(chmod 755) and make another e.g. Donload owned by a real user as
download (chmod 755).
This allows only the real user to upload files to Download, incoming can
be uploaded by ftp-user (I have a similar config).
Ok actually I was worried about being a warez hosting service and this
explains gives a bit of relief
Unofficial SuSE FAQ Maintainer
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here