vsftpd ~ftp/pub permission woes for uploads

Alexander Dalloz alexander.dalloz at uni-bielefeld.de
Mon Apr 26 16:13:09 UTC 2004 

Am Mo, den 26.04.2004 schrieb Matt Hansen um 07:10:

> default ownership/permissions in place... Apologies for wasting ML
> space, but any comments/thoughts from more experienced ftp admins are
> still welcome. 
> 
> Regards,
> Matt

What kind of comments do you request Matt? That FTP is an insecure
protocol, at least if you do not use it through encrypted connections?
For your users, given they have a valid login shell, I would highly
recommend using SCP. You can use the gftp client for SCP connections.
For the cases, where users shall not be able to login to the system but
being able to transfer data to their directory - which is common if you
do webhosting - then I recommend using SFTP/FTP with TLS. Unfortunately
vsftpd does not support that. But there are good alternatives with
proftpd and pure-ftpd. Of course both FTP daemons are more complex, but
that's always the price for more features. I am running proftpd with TLS
enabled - the control session can be encrypted, the data session too, so
both or just one, at least the control session encryption is essential
to not let go plain user authentification data through the net - and
it's not that difficult. A very nice console client with TLS support is
c-kermit. Another client with GUI is Igloo-FTP.
Running anonymous FTP you have to care that this is not misused by
people uploading illegal stuff for others. I am using anonymous FTP here
at home, so that friends can upload files, if that is required from time
to time. I configured the incoming directory that way, that after an
upload is finished it is immediately not visible nor accessable any more
by anone, except me as FTP administrator. The files are just hiding for
public view, and what's important too, they can't be overwritten or
deleted.
The permission scenario you described in your first mail sounds very
bad. chmod o+rwx on a directory is most ever awful. Remind that it just
counts as which system user the FTP daemon process runs - i.e. the
anonymous ftp account. It does not matter that the remote anonymous user
has no account data.

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 1 (Yarrow) on Athlon CPU kernel 2.4.22-1.2179.nptl
Sirendipity 17:55:40 up 8 days, 41 users, load average: 0.03, 0.11, 
                   [ Γνωθι σ'αυτον - gnothi seauton ]
             my life is a planetarium - and you are the stars
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040426/dbc229b1/attachment-0001.sig>

More information about the fedora-list mailing list