'[Proftpd-devel] Re: [Proftpd-user] AuthUserFile and UserIDs'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       proftpd-devel
Subject:    [Proftpd-devel] Re: [Proftpd-user] AuthUserFile and UserIDs
From:       TJ Saunders <tj () castaglia ! org>
Date:       2002-09-18 21:10:34
[Download RAW message or body]


mike>    The problem that we are finding in our testing is the
mike>changing of userIDs/homedirs.  ProFTPd will not let you login
mike>unless your home directory is accessable.  This prevents users
mike>from entering other users' directories. Not quite though.

This is done deliberately.  In older versions, proftpd allowed users to
login into directories to which that user had no permissions.  The client
would login, but then not be able to do anything, which caused a lot of
user confusion.  If there's a reason a user should be able to access
multiple directories, then the filesystem permissions should allow for
this.

mike>A user could change the ID number of the user to 0 for example
mike>and their home directory to /root. Clearly this is a very large
mike>security hole in giving users access to this.

It is not a security hole; it is a consideration in a site-specific
policy.  An AuthUserFile is a drop-in replacement for /etc/passwd.

mike>directive in the proftpd.conf file set the the UNIX system user that we
mike>would like, we avoided this problem, but it seems that we don't.

The User configuration directive sets the user under which a vhost
operates, until the client authenticates.  In the case of the "server
config", this is the user under which the daemon runs, rather than
operating as root.  In an <Anonymous> section, User is used to determine
what username, as provided by a client via USER, is to be treated as an
anonymous login.

TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   Never underestimate the potency, and the brevity, of novelty.

     -TJ Saunders

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



-------------------------------------------------------
This SF.NET email is sponsored by: AMD - Your access to the experts
on Hammer Technology! Open Source & Linux Developers, register now
for the AMD Developer Symposium. Code: EX8664
http://www.developwithamd.com/developerlab
_______________________________________________
ProFTPD Developers List
<proftpd-devel@proftpd.org>
https://lists.sourceforge.net/lists/listinfo/proftp-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic