LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 05-17-2004, 05:20 PM   #1
szymon
LQ Newbie
 
Registered: May 2003
Posts: 28

Rep: Reputation: 15
pure-ftpd and root login


Hey!

I have a little problem with pure-ftpd. When i generate config file for it, everything works fine. No anonymous logins, bandwitch regulation etc...but i can`t login as root user. Pure says that he can`t trust me :-). Although
when i run pure-ftpd withoud -E function (which if i as far as i know means "use config file " ;-) ) i can login as root, but everything else is default. So can anyone tell me what function should i use in pureftp.conf to be able to use root account on my ftp?

Thanks

Szymon
 
Old 05-17-2004, 05:27 PM   #2
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
I don't know anything about that FTP daemon, but logging in as root over FTP is a very bad idea. The reason for this is FTP transmits the password over the network in clear text, so it can easily be read by anyone running a packet sniffer on the network. You should look into SFTP instead. Your sshd will be able to handle SFTP, and so long as you allow root to login over ssh (which is the default in most installations that I've seen), you will be fine.
 
Old 05-17-2004, 05:36 PM   #3
szymon
LQ Newbie
 
Registered: May 2003
Posts: 28

Original Poster
Rep: Reputation: 15
the thing is that my network is me and my neighbor (who barely knows how to install software on his windows machine :-) so he is rather harmless). But thanks for warning i will watch out in future.
 
Old 03-12-2012, 05:14 AM   #4
pauliolio
LQ Newbie
 
Registered: Jan 2012
Posts: 7

Rep: Reputation: Disabled
szymon's not alone

In trying to find the answer to this I've seen quite a few people ask the question, but no one's ever answered it.

Without fail all you get is someone saying 'Logging in as root is a bad idea.... blah, blah....'

So's getting in a car & driving to work! - Do you know how many people get killed on the world's roads each day?
But without fail, despite knowing the dangers, people weigh the advantages against the risks, make a decision, and do it anyway because they have a need that can't be met any other way.
If you ask someone who's been driving for years to teach you how to, they might tell you it's dangerous, but they'll still teach you.
Why do linux users get stuck at the warning stage? 'Yeah, I know you want to learn to drive but it's dangerous so I won't tell you how to!'

Last edited by pauliolio; 03-12-2012 at 05:16 AM.
 
Old 03-12-2012, 10:59 AM   #5
verigoth
Member
 
Registered: May 2002
Posts: 179

Rep: Reputation: Disabled
Did you really just compare sending the root password over the network in clear text to driving a car? Driving a car is dangerous, yes, but certainly not reckless. A better analogy would be sitting on top of the car while your drunk 7 year old daughter drives you to work...there's really just no reason it should EVER be done. There is always another solution..adding a non-root user to certain groups and changing ownership/permissions of files/folders/devices usually does the trick. Even using something with encryption like ssh is still a bad idea to login as root unless it cannot be avoided (which I would argue that it can). Things like sudo make the root account all but unnecessary - in fact I typically disable it.

If you say your network is just you and your neighbor then I assume it is a wireless network. That makes sending the root password over clear text even more stupid. No wireless encryption/security scheme is perfectly secure, and everything you send over the network is sent out as radio waves for ~100 meters.

The "actual answer" to this is likely a configuration issue. I'm also unfamiliar with pure-ftpd, but the man page says, "Note that ftpd allows remote users to log in as root if the password is known and -u not used." So somewhere in your configuration file is a line akin to the -u switch that will not allow users below a certain uuid to login.
 
Old 03-13-2012, 10:36 AM   #6
pauliolio
LQ Newbie
 
Registered: Jan 2012
Posts: 7

Rep: Reputation: Disabled
Yes & no

Yes I did compare, and no I didn't say that my network was just my neighbour & I on a wireless connection - that was someone else.

If the situation was akin to letting a drunk daughter drive the car while sitting on top...???
No, but sometimes things just have to be done in a way that is not ideal.
I'm in a situation where I've inherited the job of looking after a creaky old linux box that's been put together by various people over the years, has had various jobs assigned to it in that time & is having to work with systems it was never meant to.
One area it is vaguely linked to uses an old free bit of software that will only use ftp to connect, and needs access to various places on the system, data owned by various accounts,... it's a mess.
Reassigning ownership, creating new groups, you name it would take ages, & would eventually end up with an account that is pretty much root by another name.

It's a wired network, it's not an Enterprise Critical machine, it's backed up, and after the 30 - 60 mins it takes for the job to complete I can change the root password to something new.

If anyone was monitoring a backwater machine like this one waiting for the one chance in 12 years to grab the root password, 1 - They're very, very sad. 2 - It wouldn't do them any good for long.

Yes - Having weighed the risks against the benefits, in this particular case, on this particular system, logging in as root over ftp is the best (pretty much only) way to do it.

I don't think I'd let my drunk daughter do it though - that would just be silly
 
Old 03-13-2012, 12:28 PM   #7
verigoth
Member
 
Registered: May 2002
Posts: 179

Rep: Reputation: Disabled
Right it was the OP who is likely on a wireless network - I haven't been here in so long I don't remember how to do much more than enter text for a reply - sorry for the confusion.

I'm sure there are many boxes out in the world doing things such as you described, but I still maintain it is a bad idea. Find a replacement for the software or hire a firm to replace it for you. Instead of mashing together some stuff that "isn't meant to work together" perhaps it would be best to find other solutions from things that are meant to work together. If I get your root password and login before you change it there's not really much you can do at that point. Now I have an internal device to launch my attack on your important machines or launch an attack on somebody else that is traced back to you. Is this likely to happen? No, but I bet it would be your ass if it did. Just saying.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
pure-ftpd root directory rootking Linux - Server 4 08-17-2007 09:30 PM
pure-ftpd roofy Linux - Software 6 03-05-2007 05:06 AM
Enable root login in wu-ftpd? Sevoma Linux - Software 5 02-04-2005 07:49 PM
Pure-ftpd, login with MySQL as control - problem KR-data Linux - Software 0 01-29-2005 07:29 PM
Pure FTPD help oACEo Linux - Newbie 2 12-07-2003 12:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 07:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration