[Sequanux-ml] vsftp & streamin'
Thomas Paris
mercen at gmx.fr
Dim 1 Fév 17:36:16 CET 2004
Pour les symlinks, j'ai trouvé ça dans la FAQ de vsfptd :
Q) Why don't symlinks work with chroot_local_user=YES?
A) This is a consequence of how chroot() security works. As alternatives,
look into hard links, or if you have a modern Linux, see the powerful
mount --bind.
La FAQ est là :
ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-1.2.1/FAQ
Le ven 30 jan à 18:38 (+0100), Fouinto MAX a écrit :
> et si tu veux mon avis, un serveur "very secure" qui ne se chroot pas...
> heu... je me poserais des questions :)
Mal utilisé, le "chroot" n'est pas sûr. Pire encore, il peut donner une
illusion de sécurité, ce qui est plus grave qu'une absence de sécurité
connue. Toujours d'après la FAQ vsftpd :
Q) Help! What are the security implications referred to in the
chroot_local_user option?
A) Firstly note that other ftp daemons have the same implications. It is a
generic problem.
The problem isn't too severe, but it is this: Some people have FTP user
accounts which are not trusted to have full shell access. If these
accounts can also upload files, there is a small risk. A bad user now has
control of the filesystem root, which is their home directory. The ftp
daemon might cause some config file to be read - e.g. /etc/some_file. With
chroot(), this file is now under the control of the user. vsftpd is
careful in this area. But, the system's libc might want to open locale
config files or other settings...
Bien entendu, un "chroot" bien utilisé est beaucoup plus sûr qu'une
solution sans "chroot".
HTH
Mercen
Plus d'informations sur la liste de diffusion Sequanux-ml