Re: Nosy ftp users
On Fri, 2002-04-19 at 17:25, Patrick Kirk wrote:
> On Fri, 2002-04-19 at 09:48, Mark Janssen wrote:
> > On Fri, 2002-04-19 at 10:42, Patrick Kirk wrote:
> >
> > > I have a Proftpd ftp server with a user called ftp whose password is
> > > given to clients who need to get drivers, etc.
> > > Just realised that someone has logged on and cd-ed to my directory and
> > > downloaded a mailbox.
> > > But how can I prevent people doing this, as it's a very lax setup that
> > > could well lead to trouble?
> >
> > 1. Make sure directories with 'critical' information are not
> > world-readable (like home-dirs, mailboxes etc)
> > 2. Chroot the ftp-account with the files under it (proftp supports
>
> Thanks - this seems the best way.
>
> chmod -R 1700 /home
>
> Is that the right command? Will samba still work with those
> permissions?
That command is the nastiest command I've seen in a while. It brutalises
the premission of every file and directory under home regardless of what
it is. I know if I was a user with files under home and you did that,
I'd want your head ;)
Better to set 'other' permission (that ftp will see) to a restricted set
chmod -R o-rwx /home
Note that changes the 'other' flags of every file, directory, fifo,
socket etc. under /home. What if a user wants to get a file and has
purposely set the other flag a certain way (maybe for collaberation)?
You will be unsetting it. Make sure people using the system are aware.
Make sure the user level that proftpd is running at does not belong to a
group that may access the files (easily tested by trying to read them
using ftp).
Kind Regards
Crispin Wellington
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: