Date: Fri, 09 Apr 1999 19:09:23 -0600 From: Brett Glass <brett@lariat.org> To: security@freebsd.org Subject: Interesting problem: chowning files sent via FTP Message-ID: <4.2.0.32.19990409184654.045424d0@localhost>
next in thread | raw e-mail | index | archive | help
Here's an interesting security problem that perhaps folks on this list can help with. I'm working with a client who does printing and computer graphics. He wants his customers to be able to upload graphics files via FTP and then allow an on-site operator to retrieve them. The customers should be able to FTP only into their own home directories (easy to implement via the built-in chrooting features of ftpd). The operator should be able to read and delete the files the users upload, preferably via NFS. But he shouldn't have full root privileges -- rather, he should have just enough privilege to work with those files. It seems to me that a good way to implement this would be to have the customers make their uploaded files group read/writable by a group of which the operator is the sole member. The operator would then mount /home via NFS, and would be granted only the privileges associated with his user ID and group. This would allow him to read and delete the files that the users had uploaded for him, but would not let him mess with the directory structure or with any files that hadn't been uploaded with the right modes or ownership. There are two problems, though. First of all, it appears that FTP doesn't have a built-in way of setting group ownership of an uploaded file. (It does let you set the UMASK, but there's no obvious way to say which group "owns" the file.) How could this be done by the FTP client? Can the customer give group ownership of the file to a group of which the user is not himself a member? Second, I need to set up NFS so that only the operator can mount /home from his one machine, and only with the privileges that would be accorded to him if he logged onto the machine himself. We want to make this as secure as possible, since the customers' data may be proprietary. So, we'll want to restrict NFS mounts to a specific IP address and authenticate as best we can. (If it's REALLY necessary, we may be able have the operator use FTP, but this is less desirable than letting him mount the directory.) Ideas on how to solve these two problems? Any other considerations I should be thinking of? --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.32.19990409184654.045424d0>