Controlling read access
John Almberg
jalmberg at identry.com
Wed Aug 6 15:38:46 UTC 2008
> Hello John,
>
> There are some things that you can try.
>
> What if you connect from localhost and transfer files, is it still
> very
> slow?
> Try to disable TLS/SSL and see if this improve performance.
> Increase debug level and check the log for any errors.
Well, I am learning lots about FTP :-)
I didn't realize that FTP uses extra ports for data channels (yes, I
am a newbie). I use the PF firewall, which of course was blocking the
needed ports. Once I opened them, the connections worked perfectly.
I also moved the control port from 21 to a higher port, and disabled
insecure FTP connections, requiring TLS/SSL for login.
I also added pureftpd-enable="YES" to rc.conf, so I can start it up
with /usr/local/etc/rc.d/pure-ftpd restart.
So far, so good (newbie pats himself on back.) :-)
Now I have just one major league problem: when I logged in as one of
the users, to test the connections, I discovered that I had SUPER
POWERS. I was able to delete any file that I could see, including
ones that were owned by root. Digging uncovered the fact that pure-
ftpd runs with root privileges... not so good for my situation.
My guess is I need to compile with the --with-privsep switch turned
on...
So, finally I have a real FreeBSD question!
What is the proper way, in ports, to set a configuration flag? The
only way I could figure out was to add it to the Makefile.
PRIVSEP "Enable privilege separation" on \
If this is the correct way to turn this compile switch on, it doesn't
seem to work. After running:
make deinstall
make config # checking the privilage separation box
make reinstall
The logged in user can still delete any file, regardless of
permissions or ownership. This is clearly a problem... I don't want
my users to be able to blow away their own websites while they are
uploading some images. I am still digging for info on this problem.
Any thoughts, much appreciated!
-- John
More information about the freebsd-questions
mailing list