LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-03-2003, 10:41 AM   #1
Korff
Member
 
Registered: May 2003
Location: Central Florida
Distribution: Gentoo
Posts: 103

Rep: Reputation: 15
Vsftpd Folder ownerships - Is this secure?


Ok I have three accounts and 2 folders for use with the FTP. All are set to sbin/nologin and are chrooted to their home directory.

Folders - Owner - Group - Permissions
/shared upload download rwxr-xr-x
/shared/status upload status rwxr-xr-x

User - Home
upload /shared
download /shared
status /shared/status

The upload user has access to do anything withing /shared. They can read/write/enter in both /shared and the subdir /status

The download user is used for reading (not writing!) from /shared. I don't really care if they can also read from /status as long as they cannot write anything anywhere

The status user is only used to load an image from /shared status embedded on a webpage ("If you can see this image <img src="ftp://statusassword@ser.ver.ip.add/online.gif"> then the FTP is up") and it cannot write anything or read files outside the status folder.

What I'm concerned is that I have upload having ownership of the folders, and not root or korff. Is this a security hole?
 
Old 06-04-2003, 03:07 PM   #2
TheOther1
Member
 
Registered: Feb 2003
Location: Atlanta, GA
Distribution: RHAS 2.1, RHEL3, RHEL4, SLES 8.3, SLES 9, SLES9_64, SuSE 9.3 Pro, Ubuntu, Gentoo
Posts: 335

Rep: Reputation: 32
Not sure about the ownership. Chris Evans of http://vsftpd.beasts.org, who wrote vsftpd, sent me an email saying this on ownership:

[Begin email snipet]
> 2) How can I limit what dirs people have access to? For example I
> want people to only be able to D/L from /var/FTP and be able to U/L to
> /var/FTP/Uploads. I have read the docs and tweaked the .conf file but
> did not see the dir access anywhere. Is it the home dir of the
> nonpriv user I made (ftp-nopriv)

That's a fairly standard configuration.
You want the "ftp" user to have a home directory of /var/FTP /var/FTP should be owned by root with permissions drwxr-xr-x The /var/FTP/Uploads directory should be owned by root with permissions drwxr-x-wt

The nopriv user's home directory isn't used for anything.
[End email snipet]

HTH!
 
Old 06-06-2003, 01:05 PM   #3
pk21
Member
 
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549

Rep: Reputation: 30
/shared upload download rwxr-xr-x
/shared/status upload status rwxr-xr-x

Why do you need execute permissions? I guess you could just turn them of right?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
anonymous folder writing with vsftpd thomas.jt Linux - Networking 3 10-31-2005 08:18 PM
VSFTPD with secure & non-secure logins Ricci Graham Linux - Software 5 04-07-2005 04:12 PM
vsftpd single upload folder RinGz Linux - Networking 2 11-13-2003 01:59 PM
vsftpd, and premoicuous. Is it secure? jsbush Linux - Security 2 11-04-2003 12:16 PM
vsftpd very very secure, so secure i can't use it... baronsam Linux - Networking 4 10-06-2003 06:12 PM


All times are GMT -5. The time now is 09:52 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration