Vsftpd Folder ownerships - Is this secure?
 

Ok I have three accounts and 2 folders for use with the FTP. All are set to sbin/nologin and are chrooted to their home directory.

Folders - Owner - Group - Permissions
/shared upload download rwxr-xr-x
/shared/status upload status rwxr-xr-x

User - Home
upload /shared
download /shared
status /shared/status

The upload user has access to do anything withing /shared. They can read/write/enter in both /shared and the subdir /status

The download user is used for reading (not writing!) from /shared. I don't really care if they can also read from /status as long as they cannot write anything anywhere

The status user is only used to load an image from /shared status embedded on a webpage ("If you can see this image <img src="ftp://status:password@ser.ver.ip.add/online.gif"> then the FTP is up") and it cannot write anything or read files outside the status folder.

What I'm concerned is that I have upload having ownership of the folders, and not root or korff. Is this a security hole?

Not sure about the ownership. Chris Evans of http://vsftpd.beasts.org, who wrote vsftpd, sent me an email saying this on ownership:

[Begin email snipet]
> 2) How can I limit what dirs people have access to? For example I
> want people to only be able to D/L from /var/FTP and be able to U/L to
> /var/FTP/Uploads. I have read the docs and tweaked the .conf file but
> did not see the dir access anywhere. Is it the home dir of the
> nonpriv user I made (ftp-nopriv)

That's a fairly standard configuration.
You want the "ftp" user to have a home directory of /var/FTP /var/FTP should be owned by root with permissions drwxr-xr-x The /var/FTP/Uploads directory should be owned by root with permissions drwxr-x-wt

The nopriv user's home directory isn't used for anything.
[End email snipet]

HTH!

/shared upload download rwxr-xr-x
/shared/status upload status rwxr-xr-x

Why do you need execute permissions? I guess you could just turn them of right?