[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Chroot or not for vsftpd

* Philippe Vogel; <filiaap@xxxxxxxxxx> on 25 Oct, 2002 wrote:
tar xvfz vsftpd-1.1.2.tar.gz
cd vsftpd-1.1.2

I cannot do these since I do not have anything related to devel
installed on that machine And I want to keep it as close to SuSE
provided RPMS so during an update I am planning to have les headache ( I
allways have the headache after an update anyway)

Lets's see if I can build it in a chroot build environment

read the file INSTALL for needed settings in your system
Change the config files to your desire.
There is a fine documentation in the package!

damn I need more coffee or change to Coke as a variant of caffeine is
needed. Thanks for reminding. And yes it has more documentation then the
SuSE RPMS ( hint for packagers at SuSE)
Compardment is a fine thing, but I don't know, if it runs with vsftp,
since the daemon itself provides a chrooted environment for each user
(read the man-pages of that project).
If you run standalone you have to use compardment, but I would prefer
running it from xinetd.

If you plan to chroot the anonymous user you must have him in the same
subdir like the users you plan to give ftp-access.
You can even use vsftp with virtual users, so you don't need /etc/passwd
and /etc/shadow.
This is more secure.

k I am convinced

it. Why not use "false" and provide "false" executable under the bin
directory ?

FTP-Daemons use directory with rights not set to the user ftp itself
(read the INSTALL file of vsftp for that reason!).

Ok I got it now

2) Why user root and not "ftp" for instance

This has security purposes.
You can create there a subdir and make it owned by ftp, e.g. incoming
(chmod 755) and make another e.g. Donload owned by a real user as
download (chmod 755).
This allows only the real user to upload files to Download, incoming can
be uploaded by ftp-user (I have a similar config).

Ok actually I was worried about being a warez hosting service and this
explains gives a bit of relief


Togan Muftuoglu
Unofficial SuSE FAQ Maintainer

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here