[plug] re: FTP set-up

[Christian]

On Fri, Jun 30, 2000 at 09:35:18AM +0800, Matt Kemner wrote:
> On Thu, 29 Jun 2000, Jon L. Miller wrote:
 
> Install proftpd, and add an entry to the config file like:

Has proftpd undergone a comprehensive audit by an independent third
party yet?  I know the developers themselves had more or less done so
but the last I heard the code was still in a pretty shabby state so
there is certainly an element of risk in installing it.  My advice would
be, if you choose to install proftpd, to watch an appropriate security
bulletin (not CERT, too slow) for any problems and be prepared to have
possible downtime or regular upgrades on your FTP service.  The only
FTP server with a worse security record would have to be wu-ftpd.  The
FTP server that is distributed with Debian is based on the OpenBSD FTP
server and is therefore must more trustworthy.  Of course it suffers
from the standard problem of plaintext passwords and is nowhere near as
configurable as proftpd so you lose the advantage of the configuration
that Matt gave.  I guess it boils down to what you'd rather risk:

1. Install proftpd which allows you to limit FTP access to the user's
home directory but be potentially open for a remote root compromise in
the future.

2. Use a less configurable FTP server like the one I suggested which
allows someone with the user's password to FTP around the entire machine
(permissions permitting) but likely will not open you to a root compromise.

Personally I would choose (2) but there may be good reasons for you to
consider (1), depending on your situation.

Regards,

Christian.