[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Best practice vsftpd writable root inside chroot()

Maik Stubbe wrote:
> I need full access from all clients to their home directory
> including uploads. I'm aware of the security risks using ftp. But
> there isn't another option like sftp. ~60 clients with a minimum of
> knowledge of security risks and technical understanding. It will be
> a hard and non-profitable way to switch over to sftp or even http.

To be completely blunt with that constraint I don't know why you worry
about proactive security.  It is impossible.  Sorry.

Instead I would set up intrusion monitoring and try to be reactive.
Hopefully you will be such a small fish that no one will poke at you
and you won't have any problems.  But if you do then you can notice
with the intrusion detection and react quickly afterward.  That might
be enough for you.

> > > 4. Using packages from Jessie: My preffered choice. But how to
> > >    control security updates?
> > 
> > Does the Jessie vsftpd allow writable chroots?  Sounds like a bug to
> > be filed to me.
> It is a "problem" of vsftpd. They decided to disable ftp with
> writable $HOME if chroot is enabled [1], [2].
> [1]: https://security.appspot.com/vsftpd/Changelog.txt (Version 2.3.5)
> [2]: https://security.appspot.com/vsftpd/FAQ.txt (Q3)

Good plan!  :-)  It looks like they did that in 2.3.4.

  v2.3.4 - Add stronger checks for the configuration error of running
  with a writeable root directory inside a chroot(). This may bite
  people who carelessly turned on chroot_local_user but such is life.

Then gave some relief in 2.3.5.

  v2.3.5 - Add new config setting "allow_writeable_chroot" to help
  people in a bit of a spot with the v2.3.5 defensive change. Only
  applies to non-anonymous.

Version 2.3.5 is in Wheezy 7 Stable.  If you are running Stable then
you should already have that feature available to you.  Are you
running Oldstable Squeeze 6?  If so then an upgrade to Stable should
fix you right up.

> It's a matter of old versions in Debian. Jessie provides the newer
> version with the new config setting.

If it is a different feature then you could request a backport from
Testing to Stable.



Attachment: signature.asc
Description: Digital signature

Reply to: