[TriLUG] FTP servers

Tanner Lovelace lovelace at wayfarer.org
Wed Sep 18 00:28:57 EDT 2002


On Tue, 2002-09-17 at 21:57, Thomas C. Meggs wrote:
 
> Tanner! :)

Tom! ;)
 
> Tanner Lovelace wrote:
> | So nice of you to just trash something without any references
> | and then recommend a commercial product.  You don't by any chance
> | own stock in NcFTP do you?  (Okay, that was a cheap shot, but
> | I did wonder...)
> 
> First off, I'm not affiliated with NcFTP. You shouldn't judge me by my
> intentions, I was just repeating some advice I heard.

Okay, I'll accept that.  As I said, it was a cheap shot, and for
what it's worth I apologize for that.  I think I must have been
having a bad day on Monday. :-(

> I ran ProFTPD for about a year with an application that required rather
> high security, and I got really sick and tired of having to patch it
> several times in succession. The third time was the charm. So forgive me
> if I still have a bitter sentiment. I admit that ProFTPD hasn't had any
> serious problems in a while. However, here are your references. :)
> 
> http://www.cert.org/advisories/CA-1999-03.html
> http://www.cert.org/advisories/CA-1999-13.html
> http://www.cert.org/advisories/CA-2000-13.html

I'll be the first to admit that no software is immune from bugs.
And, you can never tell when a bug might be found.  It seems that
in this case the bugs all hit in quick succession.  I can see how
that would have turned you off, but I still don't think it makes
proftpd a bad program.  WU-ftpd, afaik, has much worse problems
that aren't so easily fixed.
 
> A good security policy is always neccesary. On top of my usual lock
> downs I am strongly against using plain text passwords. Of course, these
> recent OpenSSH/OpenSSL vulnerabilities have been a pain in the ass.

Definitely.  For the record, the configuration of proftpd that
we have in place on the trilug machines does not make the user
use their unix account passwords.  Instead, it allows them
to access the mirrors by the e-mail address they signed up with
and their membership number.  It doesn't give access to home
directories, but rather just gives unmetered access to the
mirrors (the same thing available for metered anonymous access).
I've heard some people suggest we should move that over to
the new ldap/kerberos single sign on, but I disagree.  If we
did that, we could end up transmitting important passwords in
the clear.  As it is now, if someone sniffs the "password" 
(membership number), all they'll get is unmetered access to our
mirrors (read-only, even).  If people want access to their
home directories, they can use scp/sftp.
 
> You say that ProFTPD will not by itself allow your server to be
> compromised. How is ProFTPD presently changing the UID of its children?
> I notice that it is running as nobody. I assume it is requiring root
> privledges somewhere along the way.

I believe this is answered in question 2 of their FAQ:
(http://proftpd.net/docs/faq/linked/faq-ch6.html)  I quote:

  2. Surely running ProFTPD as non-root will help?

  Running ProFTPD as a non-root user gives only a marginal security   
  improvement on the normal case and adds some functional problems. Such
  as not being able to bind to ports 20 or 21, unless it's spawned from
  inetd.

  ProFTPD takes a middle road in terms of security. It only uses root
  privileges where required and drops to the UID defined in the config
  file at all other times. Times when root is required include, binding
  to ports < 1024, setting resource limits, reading configuration
  information and some network code.

  For Linux 2.2.x kernel systems there is the POSIX style mod_linuxprivs
  module which allows very fine grain control over privileges. This is
  highly recommended for security-conscious admins.

Cheers,
Tanner
-- 
Tanner Lovelace | lovelace(at)wayfarer.org | http://wtl.wayfarer.org/
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
GPG Fingerprint = A66C 8660 924F 5F8C 71DA  BDD0 CE09 4F8E DE76 39D4
GPG Key can be found at http://wtl.wayfarer.org/lovelace.gpg.asc
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
         http://www.petitiononline.com/SSSCA/petition.html
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
 Those who are willing to sacrifice essential liberties for a little 
 order, will lose both and deserve neither.  --  Benjamin Franklin 

 History teaches that grave threats to liberty often come in times
 of urgency, when constitutional rights seem too extravagant to 
 endure.  --  Justice Thurgood Marshall, 1989 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20020918/ae6b6ac9/attachment.pgp>


More information about the TriLUG mailing list