For consider following example:
- Ftp username : servt1
- FTP home directory: /home/servt1
$ ftp ftp.domain.com
Output:
Connected to ftp.domain.com.
220 (vsFTPd 2.0.5)
Name (ftp.domain.com:servt1): servt1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/servt1"
ftp> cd /etc
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 7959 Mar 02 22:20 Acbd
drwxr-xr-x 3 0 0 4096 Jul 24 12:20 Wireloop
drwxr-xr-x 16 0 0 4096 Jul 30 22:58 X1X
drwxr-xr-x 4 0 0 4096 Sep 05 2005 Xrint
-rw-r--r-- 1 0 0 2188 Sep 05 2005 adduser.conf
-rw-r--r-- 1 0 0 47 Aug 16 14:52 adjtime
-rw------- 1 0 0 4330 Aug 18 2005 afick.conf
-rw-r--r-- 1 0 0 194 Sep 05 2005 aliases
-rw-r--r-- 1 0 0 12288 Jul 19 21:27 aliases.db
drwxr-xr-x 2 0 0 8192 Aug 15 09:33 alternatives
...
.....
..
Now normal user can go to /etc directory (may be to all other directories) and if there is read only permission to sensitive files user can download the file via ftp.
To avoid this security problem you can lock ftp user in a jail.
Open vsftpd configuration file - /etc/vsftpd/vsftpd.conf
# vi /etc/vsftpd/vsftpd.conf
Make sure following line exists (and uncommented):
chroot_local_user=YES
Save and close the file. Restart vsftpd.
# /etc/init.d/vsftpd restart
Now all users of VSFTPD/FTP will be limited to accessing only files in their own home directory. They will not able to see /, /etc, /root and /tmp and all other directories. This is an essential security feature.
No comments:
Post a Comment