Controlling read access
glarkin at FreeBSD.org
Wed Aug 6 16:17:48 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
John Almberg wrote:
|> Hello John,
|> There are some things that you can try.
|> What if you connect from localhost and transfer files, is it still very
|> Try to disable TLS/SSL and see if this improve performance.
|> Increase debug level and check the log for any errors.
| Well, I am learning lots about FTP :-)
| I didn't realize that FTP uses extra ports for data channels (yes, I am
| a newbie). I use the PF firewall, which of course was blocking the
| needed ports. Once I opened them, the connections worked perfectly.
| I also moved the control port from 21 to a higher port, and disabled
| insecure FTP connections, requiring TLS/SSL for login.
| I also added pureftpd-enable="YES" to rc.conf, so I can start it up with
| /usr/local/etc/rc.d/pure-ftpd restart.
| So far, so good (newbie pats himself on back.) :-)
| Now I have just one major league problem: when I logged in as one of the
| users, to test the connections, I discovered that I had SUPER POWERS. I
| was able to delete any file that I could see, including ones that were
| owned by root. Digging uncovered the fact that pure-ftpd runs with root
| privileges... not so good for my situation.
| My guess is I need to compile with the --with-privsep switch turned on...
| So, finally I have a real FreeBSD question!
| What is the proper way, in ports, to set a configuration flag? The only
| way I could figure out was to add it to the Makefile.
| PRIVSEP "Enable privilege separation" on \
| If this is the correct way to turn this compile switch on, it doesn't
| seem to work. After running:
| make deinstall
| make config # checking the privilage separation box
| make reinstall
| The logged in user can still delete any file, regardless of permissions
| or ownership. This is clearly a problem... I don't want my users to be
| able to blow away their own websites while they are uploading some
| images. I am still digging for info on this problem. Any thoughts, much
| -- John
Try this sequence instead, and you should be all set:
make config (skip this if you've already chosen the options you want)
The clean target will make sure that your environment is reset back to a
known state. The install target will then perform a fresh build and
install with the privsep option enabled. If you already had binaries in
your port directory, then the reinstall target installs them without
rebuilding, as far as I can tell from reading /usr/ports/Mk/bsd.port.mk.
Hope that helps,
http://www.FreeBSD.org/ - The Power To Serve
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the freebsd-questions