| View previous topic :: View next topic |
| Author |
Message |
pht3k
n00b
Joined: 04 Apr 2005
Posts: 53
Location: Québec
|
 Posted: Mon Feb 06, 2006 5:25 am Post subject: [vsftpd] chroot_local_user=YES moins secure? |
 |
|
bonjour tout le monde,
Selon le manuel de vsftpd :
| Quote: | chroot_local_user
If set to YES, local users will be (by default) placed in a chroot() jail in their home directory after login. Warning: This option has security implications, especially if the users have upload permission, or shell access. Only enable if you know what you are doing. Note that these security implications are not vsftpd specific. They apply to all FTP daemons which offer to put local users in chroot() jails.
Default: NO |
J'aurais pourtant cru le contraire ; empecher l'acces a certains directory sensibles me semblait plutot logique. En quoi est-ce dangereux exactement?
Merci,
pht3k |
|
| Back to top |
|
 |
creuvard
Apprentice
Joined: 14 May 2004
Posts: 211
Location: Bordeaux
|
| Posted: Mon Feb 06, 2006 10:53 am Post subject: |
|
|
Salut
Pour empecher l'acces a certains directory sensibles il y a aussi la possibilité de passer par les utilisateur virtuels.
et de rajouter dans ton vsftpd.conf :
| Code: |
guest_enable=YES
guest_username=toto
|
On peux ainsi "mapper" les users virtuels dans le homedirectory de "toto" et mettre des droits restrictifs sur celui ci. ( dr-x---r-- )
On peux en plus mettre un shel bidon a toto ( toto:x:1001:100::/home/ftp/:/bin/false)
Cela évite ainsi d'avoir a se servir de l'option chroot_local_user. Car selon les droits et le shell du "user" en question il doit pouvoir sortir de de sa prison chroot et la c'est pas bon.
Voila selon moi un élément de réponse  |
|
| Back to top |
|
|
_droop_
l33t
Joined: 30 May 2004
Posts: 957
|
|
| Back to top |
|
|
pht3k
n00b
Joined: 04 Apr 2005
Posts: 53
Location: Québec
|
| Posted: Tue Feb 07, 2006 4:04 am Post subject: |
|
|
selon le faq en question :
Q) Help! What are the security implications referred to in the
"chroot_local_user" option?
A) Firstly note that other ftp daemons have the same implications. It is a
generic problem.
The problem isn't too severe, but it is this: Some people have FTP user
accounts which are not trusted to have full shell access. If these
accounts can also upload files, there is a small risk. A bad user now has
control of the filesystem root, which is their home directory. The ftp
daemon might cause some config file to be read - e.g. /etc/some_file. With
chroot(), this file is now under the control of the user. vsftpd is
careful in this area. But, the system's libc might want to open locale
config files or other settings...
Merci a vous deux, cela satisfait ma curiosite !!
Et merci pour le truc des usagers virtuels 
pht3k |
|
| Back to top |
|
|
|
French
