LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-20-2003, 03:19 PM   #1
Moses420ca
Member
 
Registered: Jul 2003
Distribution: Ubuntu
Posts: 142

Rep: Reputation: 15
proftpd and file permissions


While installing Mandrake 9.1, I selected "higher security". By running at this level of security, a program called msec (Mandrake security tools) runs every hour which enforces level 4 security and what's relevant to my problem, it chmods /home/* to 700.

I have proftpd 1.2.7 installed and have it configured so every user who is a member of the users group will be chrooted in ~ and everyone else will be chrooted in /home/ftp. I have proftpd configured as a standalone daemon with only one default server running as user/group ftp. When I do "ps -aux" I can see proftpd is running as user ftp. When user joe logs in, proftpd spawns itself and runs as joe. So 2 copys of proftpd are now running, one as user ftp and one as user joe. My problem is joe has no rights in /home/ftp/ no matter what group he's a member of. I can get it to work if I do "chmod o+r /home/ftp" but msec just changes it back again. This isn't how I would want my file permissions anyway.

I can't change the directory's around because /home/ is on a different hard disk. I thought I could "mount --bind /home/ftp/ /var/ftp/" but even though others have read permissions in /var/ftp/, the permissions for /home/ftp/ override. (I couldn't get binds to work from /etc/fstab anyway. If anyone knows how to do this, don't hesitate to comment.)

Some things that I think I could do:
1) Make a custom permission level for msec to enforce that allows the group ftp access in /home/ftp/ and add everyone to the group ftp. I've never done that without X but I think I can just edit the file /usr/share/msec/perm.4. In that file, a line reads "/home/* current 700". If I modify that line to read "/home/* current 740", would this make my server somehow exploitable? I'm thinking with this configuration, if user john wants to give user joe access to /home/john, joe would just have to join the group john.

2) Run proftpd as user ftp for everyone. I don't want to UserAlias every user I have in the proftpd.conf. Maybe I could include a users.conf and Alias them as user ftp in there. This would make managing users harder so it would be a last resort to fix my problem.

Thanks for any help.
 
Old 12-08-2003, 05:17 AM   #2
/bin/bash
Senior Member
 
Registered: Jul 2003
Location: Indiana
Distribution: Mandrake Slackware-current QNX4.25
Posts: 1,802

Rep: Reputation: 46
Quote:
1) Make a custom permission level for msec to enforce that allows the group ftp access in /home/ftp/ and add everyone to the group ftp. I've never done that without X but I think I can just edit the file /usr/share/msec/perm.4. In that file, a line reads "/home/* current 700". If I modify that line to read "/home/* current 740", would this make my server somehow exploitable? I'm thinking with this configuration, if user john wants to give user joe access to /home/john, joe would just have to join the group john.
You should make your modifications in the file /usr/share/msec/perm.local or something like that. I'll check when I get home.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Proftpd User Permissions discrepant Linux - Newbie 1 03-17-2005 04:33 PM
Proftpd and file permissions jeucken Linux - Networking 3 06-19-2004 04:49 AM
proftpd + file permissions gone mad .. 80s Linux - Networking 0 08-12-2003 04:55 AM
proftpd permissions niehls Linux - Software 2 05-02-2003 02:33 PM
Proftpd Permissions Nephlite Linux - Networking 6 02-08-2002 09:26 AM


All times are GMT -5. The time now is 03:19 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration