Controlling read access

John Almberg jalmberg at
Wed Aug 6 15:38:46 UTC 2008

> Hello John,
> There are some things that you can try.
> What if you connect from localhost and transfer files, is it still  
> very
> slow?
> Try to disable TLS/SSL and see if this improve performance.
> Increase debug level and check the log for any errors.

Well, I am learning lots about FTP :-)

I didn't realize that FTP uses extra ports for data channels (yes, I  
am a newbie). I use the PF firewall, which of course was blocking the  
needed ports. Once I opened them, the connections worked perfectly.

I also moved the control port from 21 to a higher port, and disabled  
insecure FTP connections, requiring TLS/SSL for login.

I also added pureftpd-enable="YES" to rc.conf, so I can start it up  
with /usr/local/etc/rc.d/pure-ftpd restart.

So far, so good (newbie pats himself on back.) :-)

Now I have just one major league problem: when I logged in as one of  
the users, to test the connections, I discovered that I had SUPER  
POWERS. I was able to delete any file that I could see, including  
ones that were owned by root. Digging uncovered the fact that pure- 
ftpd runs with root privileges... not so good for my situation.

My guess is I need to compile with the --with-privsep switch turned  

So, finally I have a real FreeBSD question!

What is the proper way, in ports, to set a configuration flag? The  
only way I could figure out was to add it to the Makefile.
	PRIVSEP "Enable privilege separation" on \

If this is the correct way to turn this compile switch on, it doesn't  
seem to work. After running:

make deinstall
make config 		# checking the privilage separation box
make reinstall

The logged in user can still delete any file, regardless of  
permissions or ownership. This is clearly a problem... I don't want  
my users to be able to blow away their own websites while they are  
uploading some images. I am still digging for info on this problem.  
Any thoughts, much appreciated!

-- John

More information about the freebsd-questions mailing list