[TCLUG] safe ftp?

[Joshua Jore]

Yep, I'd love to require that people use SFTP|SCP|SafeTP but I can't.
That's why I'm trying to get this to work well *w/* FTP.

So here was what I did for OpenBSD:

/etc/daily.local:
perl -ne "s/:.*\$//;unless(/^.+-www\$/){print}else{print STDERR}" \
/etc/passwd 1> /etc/ftpusers 2> /etc/ftpchroot

so I've got a user named 'qw' whose uid/gid are 1101. Create a second user
named 'qw-www' using the same uid/gid but a different password. /home/qw
is qw's home dir, /home/qw/data is qw-www's home dir. qw-www is chrooted
to his home dir, qw can't ftp. Also create a group for ssh access and put
qw into that group. This way qw can do ssh, qw-www ftp. This keeps the
ftp-ed, insecure user+pass from being able to trojan the qw user or any
other part of the system. I've also installed the TPE/Stephanie patchset.
In this case, the qw user is trusted, the qw-www is not. The idea is,
should qw-www be comprimised and somehow gain access to start executing
binaries, the user is locked out from running things that aren't
sanctioned by root. Supposedly the openwall patches for linux do something
similar but I haven't checked them out.

So... in general the qw-www is only able to muck with some of qw's files
and if it is cracked it's highly unlikely to be able to do damage to
anything. I'm also considering some daemons untrusted so if *those* are
hacked, they're chrooted, in a regular user accound and can't execute
unapproved stuff. All in all, I sleep better.

So about doing this in *Linux*....

Josh

On 6 Jul 2001, Jon Schewe wrote:

> Joshua Jore <moomonk at daisy-chan.org> writes:
>
> > Just something I've been trying to figure out lately. How to do FTP and
> > probably POP without putting a big 'root me' sign on the box. I've got a
> > pretty good thing going for my OpenBSD box (details if you want them) but
>
> Those might be interesting to find out about.  I've got an OpenBSD box at home
> that I've been thinking about opening some services up on again.
>
> > I haven't tried this on Linux yet. I also figure this another
> > 're-inventing the wheel' thing so other folks should have solved this one
> > well by now.
>
> How about sftp?  It's a different protocol, but it's more secure.  That or
> just use ssh/scp.
>
> --
> Jon Schewe | http://mtu.net/~jpschewe | jpschewe at mtu.net
> For I am convinced that neither death nor life, neither angels
> nor demons, neither the present nor the future, nor any
> powers, neither height nor depth, nor anything else in all
> creation, will be able to separate us from the love of God that
> is in Christ Jesus our Lord. - Romans 8:38-39
>
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>