Vsftpd Folder ownerships - Is this secure?
Ok I have three accounts and 2 folders for use with the FTP. All are set to sbin/nologin and are chrooted to their home directory.
Folders - Owner - Group - Permissions /shared upload download rwxr-xr-x /shared/status upload status rwxr-xr-x User - Home upload /shared download /shared status /shared/status The upload user has access to do anything withing /shared. They can read/write/enter in both /shared and the subdir /status The download user is used for reading (not writing!) from /shared. I don't really care if they can also read from /status as long as they cannot write anything anywhere The status user is only used to load an image from /shared status embedded on a webpage ("If you can see this image <img src="ftp://status:password@ser.ver.ip.add/online.gif"> then the FTP is up") and it cannot write anything or read files outside the status folder. What I'm concerned is that I have upload having ownership of the folders, and not root or korff. Is this a security hole? |
Not sure about the ownership. Chris Evans of http://vsftpd.beasts.org, who wrote vsftpd, sent me an email saying this on ownership:
[Begin email snipet] > 2) How can I limit what dirs people have access to? For example I > want people to only be able to D/L from /var/FTP and be able to U/L to > /var/FTP/Uploads. I have read the docs and tweaked the .conf file but > did not see the dir access anywhere. Is it the home dir of the > nonpriv user I made (ftp-nopriv) That's a fairly standard configuration. You want the "ftp" user to have a home directory of /var/FTP /var/FTP should be owned by root with permissions drwxr-xr-x The /var/FTP/Uploads directory should be owned by root with permissions drwxr-x-wt The nopriv user's home directory isn't used for anything. [End email snipet] HTH! |
/shared upload download rwxr-xr-x
/shared/status upload status rwxr-xr-x Why do you need execute permissions? I guess you could just turn them of right? |
All times are GMT -5. The time now is 10:28 PM. |