[linux-help] FTP access to entire drive (Was: "")
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
On Thu, 18 Jul 2002, Hareesh Haridas wrote:
> I have found (much to my horror) that unless there is a chroot
> setup done for ftp servers, they allow access to the entire disk
> structure by default to any valid user - (this i found in installs of
> redhat/wu-ftpd and mandrake/pro-ftpd) - and as a real user, i am able to
> get even the /etc/passwd via ftp.=20
1.) this is fairly common with the default installation. however, if you
are
using shadow passwords (and i ***HIGHLY*** reccommend it), the /etc/passwd
file is useless, except to have list of users and some info about them
(shell, home dir, etc)... the shadow password (which normal users should
not have access to) has the encrypted passwords...
2.) with the track record of wu-ftpd, i would reccommend using something
else. there are various pkgs depending on what you need... i personally
liked the idea of VirtualFTP (vftp for short, iirc)... it uses a seperate
database of users and keeps then from going outside of their home dirs by
default... proftpd should have some config stuff to prevent users from
being able to do dumb stuff, but it's been a while since i've used an ftp
daemon...
3.) i would reccommend using SFTP instead, since it inherits the higher
security of SSH and does not rely on an annoying ftp-data port (and it
works MUCH better from behind a firewall)... to set it up, there's just
one line to add to your /etc/ssh/sshd_config (or whever sshd_config is
located for you), so that part is incredibly easy. there aren't near the
amount of clients (the commandline sftp in *nix works well), but some good
ones are WinSCP (which actually uses SCP, which is related) and SecureFX
(shareware, but otherwise nice)... (oh, and just a note, this really
doesn't have a whole lot to do with the easy access to /etc/passwd file,
it's just that i've been on an anti-ftp kick since i found sftp)
NOTE: make sure you're running OpenSSH 3.4 or higher (that is the latest
at this moment), because there was a nasty problem w/ versions 2.9-3.3...
and don't allow the default behaviour of being able to revert to SSHv1 if
the client tries to use it (look in your sshd_config file again for the
line Protocol and remove the 1)...
> I have read in some sites that this was a bug in older ftp versions and
> has been fixed in the new releases. But what i am seeing is the
> opposite. Is there a way to limit this other than chroot (which seems to
> be the best alternative) ? Just changing the permissions dont seem to be
> a good idea. Correct me if i am wrong.
i don't think this is actually a bug (tho' as i mentioned before, wu-ftpd
has been plagued with them in the last few years... someone was able to
gain root access remotely on a box with an old version of wu-ftpd on one
of my last employer's servers).... basically, this is the default
behaviour of almost any ftp daemon (including the ones in BSD installs).
i think it kind of assumes that if you setup your permissions properly,
this will be a non-issue... if you're using wu-ftpd, i'd look into
proftpd (if you still want to use FTP), because iirc, locking users into
their home dir (or any other one) was much easier...
also, on most systems (correct me if i'm wrong), you basically need 644
permissions on /etc/passwd with the owner being root and the group root...
has to do with various things needing access to the file as non-root
users, iirc...
hope some of this helps... sorry it got a little long and had some OT
sections... just ranting ; ^ )
gLaNDix
-- This is the linux-help@xxxxxxxxx list. To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
|
|