[plug] ftpd query

David Campbell campbell at gear.torque.net
Wed Jun 9 08:03:49 WST 1999 

Date sent:      	Tue, 08 Jun 1999 13:35:22 +0800
To:             	plug at linux.org.au
From:           	Denis Brown <dsbrown at cyllene.uwa.edu.au>
Subject:        	[plug] ftpd query
Send reply to:  	plug at linux.org.au

> Dear PLUG members,
> 
> Doubtless a simple query, but would like some confirmation that my thinking
> is correct.  Am especially paranoid about security.

You are not paranoid enough...
 
> Scenario:  I want to set up an ftp resource from which a small group of
> users can periodically download files, notably virus detector programme
> updated signature files.  There's one Linux (Debian slink) box and some
> Wintel boxes.  Ideally, when I find out how to batch run the Wintel side
> ftp client, I could implement automatic download of updated virus
> signatures on bootup, but that's another story.
> 
> Looking through the man pages for ftpd on anonymous ftp leads me to believe
> that I could create security holes inadvertantly.  This has made me think
> that a better way would be to assign a dummy user account on the Linux box
> and let every Wintel user know about that account name and its password.
> For want of a better name, call the Linux dummy user "virsigs".

This could create more holes since the anonymous ftp account runs in 
a "chroot" (eg: limited view only the account directory). There is a 
list of things that need to be done for setting up an anonymous ftp 
account properly - more than I can remember.

Have you considered using SAMBA for this job?

Admittedly you would require a little configuration of smb.conf for 
the proper security (read only access, guest account that has 
/bin/false as a shell, shares are not browsable), but the end result 
is that you can do the following on a Win95/WinNT machine:

copy \\linuxbox\virsigs\*.* c:\virsigs

Without explicitly mapping the drive (done this several times). I 
only recommend this as it solves a pile of problems on the Win95 side.

> a) prevent my Wintel users from clobbering the signature file(s)   - I
> suspect the answer is "yes"

correct

> b) enable my users to see a directory of the available file(s)  - again I
> suspect "yes"

You can do one better than this with FTP, you can have a directory 
they can't list but providing they know the file name they can grab 
the file (I know this is cruel but we are talking about Win95 users).

> c) prevent my users from seeing and accessing files in other directories?
> - not sure about this one.

Anonymous ftp (running as chroot) should keep them out of other 
directories. There should be an anonymous ftp server HOWTO lurking 
around, it might even be on CERT / AusCERT.

> Alternatively, am I being too paranoid about the anonymous ftp account
> mechanism?

Paranoia is good for a secure environment but you must choose the 
lesser of the two evils. Anonymous FTP should be more secure than 
standard FTP since you use chroot to put the blinkers on, for most 
secure systems this should only be the icing on the cake.

If you wish to follow the FTP route then:
a) Research various FTP daemons for suitability
b) Implement a secure non-login account (the /bin/false for a shell
   is just the start - there is other things that need to be done).
c) Check directory permisions for the WHOLE disk, you may have other
   weaknesses.
d) Subscribe to the auscert security mailing list.

I may of missed something there as it has been three years since I
last administered a UNIX box in "concrete bunker mode".

David Campbell
=======================================================
campbell at torque.net
"This is not an office, rather Hell with fluorescent lighting"

More information about the plug mailing list