Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 06-03-2003, 10:41 AM   #1
Registered: May 2003
Location: Central Florida
Distribution: Gentoo
Posts: 103

Rep: Reputation: 15
Vsftpd Folder ownerships - Is this secure?

Ok I have three accounts and 2 folders for use with the FTP. All are set to sbin/nologin and are chrooted to their home directory.

Folders - Owner - Group - Permissions
/shared upload download rwxr-xr-x
/shared/status upload status rwxr-xr-x

User - Home
upload /shared
download /shared
status /shared/status

The upload user has access to do anything withing /shared. They can read/write/enter in both /shared and the subdir /status

The download user is used for reading (not writing!) from /shared. I don't really care if they can also read from /status as long as they cannot write anything anywhere

The status user is only used to load an image from /shared status embedded on a webpage ("If you can see this image <img src="ftp://statusassword@ser.ver.ip.add/online.gif"> then the FTP is up") and it cannot write anything or read files outside the status folder.

What I'm concerned is that I have upload having ownership of the folders, and not root or korff. Is this a security hole?
Old 06-04-2003, 03:07 PM   #2
Registered: Feb 2003
Location: Atlanta, GA
Distribution: RHAS 2.1, RHEL3, RHEL4, SLES 8.3, SLES 9, SLES9_64, SuSE 9.3 Pro, Ubuntu, Gentoo
Posts: 335

Rep: Reputation: 32
Not sure about the ownership. Chris Evans of, who wrote vsftpd, sent me an email saying this on ownership:

[Begin email snipet]
> 2) How can I limit what dirs people have access to? For example I
> want people to only be able to D/L from /var/FTP and be able to U/L to
> /var/FTP/Uploads. I have read the docs and tweaked the .conf file but
> did not see the dir access anywhere. Is it the home dir of the
> nonpriv user I made (ftp-nopriv)

That's a fairly standard configuration.
You want the "ftp" user to have a home directory of /var/FTP /var/FTP should be owned by root with permissions drwxr-xr-x The /var/FTP/Uploads directory should be owned by root with permissions drwxr-x-wt

The nopriv user's home directory isn't used for anything.
[End email snipet]

Old 06-06-2003, 01:05 PM   #3
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549

Rep: Reputation: 30
/shared upload download rwxr-xr-x
/shared/status upload status rwxr-xr-x

Why do you need execute permissions? I guess you could just turn them of right?


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
anonymous folder writing with vsftpd thomas.jt Linux - Networking 3 10-31-2005 08:18 PM
VSFTPD with secure & non-secure logins Ricci Graham Linux - Software 5 04-07-2005 04:12 PM
vsftpd single upload folder RinGz Linux - Networking 2 11-13-2003 01:59 PM
vsftpd, and premoicuous. Is it secure? jsbush Linux - Security 2 11-04-2003 12:16 PM
vsftpd very very secure, so secure i can't use it... baronsam Linux - Networking 4 10-06-2003 06:12 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:40 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration