proftpd and file permissions
While installing Mandrake 9.1, I selected "higher security". By running at this level of security, a program called msec (Mandrake security tools) runs every hour which enforces level 4 security and what's relevant to my problem, it chmods /home/* to 700.
I have proftpd 1.2.7 installed and have it configured so every user who is a member of the users group will be chrooted in ~ and everyone else will be chrooted in /home/ftp. I have proftpd configured as a standalone daemon with only one default server running as user/group ftp. When I do "ps -aux" I can see proftpd is running as user ftp. When user joe logs in, proftpd spawns itself and runs as joe. So 2 copys of proftpd are now running, one as user ftp and one as user joe. My problem is joe has no rights in /home/ftp/ no matter what group he's a member of. I can get it to work if I do "chmod o+r /home/ftp" but msec just changes it back again. This isn't how I would want my file permissions anyway.
I can't change the directory's around because /home/ is on a different hard disk. I thought I could "mount --bind /home/ftp/ /var/ftp/" but even though others have read permissions in /var/ftp/, the permissions for /home/ftp/ override. (I couldn't get binds to work from /etc/fstab anyway. If anyone knows how to do this, don't hesitate to comment.)
Some things that I think I could do:
1) Make a custom permission level for msec to enforce that allows the group ftp access in /home/ftp/ and add everyone to the group ftp. I've never done that without X but I think I can just edit the file /usr/share/msec/perm.4. In that file, a line reads "/home/* current 700". If I modify that line to read "/home/* current 740", would this make my server somehow exploitable? I'm thinking with this configuration, if user john wants to give user joe access to /home/john, joe would just have to join the group john.
2) Run proftpd as user ftp for everyone. I don't want to UserAlias every user I have in the proftpd.conf. Maybe I could include a users.conf and Alias them as user ftp in there. This would make managing users harder so it would be a last resort to fix my problem.
Thanks for any help.