ftp security

Aaron Peterson dopplecoder at gmail.com
Tue Aug 16 02:44:14 GMT 2005 

On 8/15/05, stephen honea <stephen_honea at yahoo.com> wrote:
> I read http://www.freebsddiary.org/ftp-anonymous.php to try and secrue my ftp server.
> The author sugested to add a line to my fstab:
> 
> /dev/ad2s2f   /home/ftp/incoming ufs  rw,SUIDDIR    2       2
> 
> however i don't have the file ad2s2f in my /dev directory
> 
> # Device                Mountpoint      FStype  Options         Dump    Pass#
> /dev/ad0s1b             none            swap    sw              0       0
> /dev/ad0s1a             /               ufs     rw              1       1
> /dev/ad0s1e             /tmp            ufs     rw              2       2
> /dev/ad0s1f             /usr            ufs     rw              2       2
> /dev/ad0s1d             /var            ufs     rw              2       2
> /dev/acd0               /cdrom          cd9660  ro,noauto       0       0
> #/dev/ad0s              /ftp/incoming   ufs     rw,SUIDDIR      2       2
> 
> [root]/etc-
> 
> i don't really understand the fstab but I gather
> ad0s1 is the drive and a-f is the partitions created at boot time
> 
> basicly i am trying to sticky a directory mounted by fstab

yes, if you didn't create a partition  /dev/ad2s2f then you can't
mount it or put it in fstab because it doesn't exist.  I think you are
mistaken that you are trying to turn on the sticky bit since you don't
need a separate partition for that by itself.  There are other
security features that go along with mounting the filesystem with the
SUIDDIR option. An excerpt from "man mount":

  suiddir
                     A directory on the mounted file system will respond to
                     the SUID bit being set, by setting the owner of any new
                     files to be the same as the owner of the directory.  New
                     directories will inherit the bit from their parents.
                     Execute bits are removed from the file, and it will not
                     be given to root.

                     This feature is designed for use on fileservers serving
                     PC users via ftp, SAMBA, or netatalk.  It provides secu-
                     rity holes for shell users and as such should not be used
                     on shell machines, especially on home directories.  This
                     option requires the SUIDDIR option in the kernel to work.
                     Only UFS file systems support this option.  See chmod(2)
                     for more information.

This requires planning ahead on your filesystem though, so that you
have space to create a separate partition for /home/ftp/incoming in
your case.  You could add another hard disk, or perhaps find a way to
rearrange your existing space.  It is usually easiest to set this stuf
up at install time though...

Aaron

More information about the freebsd-questions mailing list