Date: Sat, 13 Jan 2001 18:27:27 +0100 (MET) From: Peter Ross <petros@pps.de> To: security@freebsd.org Subject: Re: Proposed modification to ftpd Message-ID: <200101131727.SAA23176@feder.pps.de>
next in thread | raw e-mail | index | archive | help
Hello, next week I have to change a ftp server. I read the thread starting with the message from Fernando Schapachnik <fpscha@ns1.via-net-works.net.ar> on Fri, 29 Dec 2000 13:29:45 -0300 (ART) > I just submitted PR bin/23944, which contains a patch against > 4.2R ftpd to add the following funcionality to chrooted users: The > user's home dir is splitted by the first '/./'. The first part is > used to chroot, and the second to chdir (eg, > '/usr/local/www/data/site/./htdocs', means chroot to > /usr/local/www/data/site, and then chdir to htdocs). > > The reason I consider it (some how) security related is that > it is meant to simplify migration from (usually > remote-root-exploitable) wu-ftpd, which uses the same sintax. I want to migrate (for security reasons). I wish that the user doesn't see /etc or /bin after login, because some of them using scripts to receive data. These scripts could have instructions like "mput *". There are more then one or two users and I don't like monday telephon calls "It doesn't work". Some users are confused by smallest changes.. I created a home directory owned by the FTP account and used /etc/ftpchroot. Fortunately ls is integrated part of ftpd - no bin directory necessary. Also there's no etc. According to the man page I only see uids (no names because there is no passwd database) but I think that isn't a problem. This moment I can't see other problems. It seems to work. ftpd(8) > ~ftp Make the home directory owned by ``root'' and unwritable > by anyone. Hmmh. Now the home directory is 775 (a different user with a same gid moves the files in our network or from it) Would you prefer my way to migrate wu-ftpd -> ftpd rather than implement the "*/./*" syntax? Any risks? Regards Peter Ross To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101131727.SAA23176>