Hi,

I am planning to install Vsftpd (vsftpd-1.1.0-3.i386.rpm) for SuSE 7.3 running SuSE compiled kernel 2.2.19. which will allow anonymous uploads also

I would do it a littlebit different: Compile vsftp for your own and don't use rpm since this is not written for 7.3 (use it on 7.3 as well). Get the Source from http://vsftpd.beasts.org/ (v 1.1.2!). VSFTP will the be compiled for your cpu and run faster and it is the newest version (1.1.0 is not!). Then: tar xvfz vsftpd-1.1.2.tar.gz cd vsftpd-1.1.2 make read the file INSTALL for needed settings in your system Change the config files to your desire. There is a fine documentation in the package! Put the chroot users in vsftpd.chroot_list and set chroot_list_enable=YES , chroot_list_file=/etc/vsftpd.chroot_list! The rest vsftp will do for you. This is secure enough for me.

The machine has private IP and will be behind SuSE ftp-proxy. The default looks it needs to be run from inetd /xinetd. Here is what I have in mind

a) run it as standalone

Why not standalone? Standalone means to run it as root, because processes bind to ports <1024 must be run as root. Use xinetd to manage it.

b) use Marc Heuse's compartment to run it in a chroot environment

Compardment is a fine thing, but I don't know, if it runs with vsftp, since the daemon itself provides a chrooted environment for each user (read the man-pages of that project). If you run standalone you have to use compardment, but I would prefer running it from xinetd. If you plan to chroot the anonymous user you must have him in the same subdir like the users you plan to give ftp-access. You can even use vsftp with virtual users, so you don't need /etc/passwd and /etc/shadow. This is more secure.

c) use the ftpdir package of SuSE which is also in the chrooted environment where vsftd runs

First of all is this overkill ? If not then I do not understand the following

1) The ftpdir package has passwd file (/usr/local/ftp/etc)

root:x:0:0:Super User:/root:/bin/bash

My understanding is it is now chrooted to "/usr/local/ftp" and since there is no "bash" under the bin directory what is the reasoning behind it. Why not use "false" and provide "false" executable under the bin directory ?

FTP-Daemons use directory with rights not set to the user ftp itself (read the INSTALL file of vsftp for that reason!).

2) Why user root and not "ftp" for instance

This has security purposes. You can create there a subdir and make it owned by ftp, e.g. incoming (chmod 755) and make another e.g. Donload owned by a real user as download (chmod 755). This allows only the real user to upload files to Download, incoming can be uploaded by ftp-user (I have a similar config). Philippe

On Fri, 2002-10-25 at 06:31, Togan Muftuoglu wrote: [snip]

a) run it as standalone b) use Marc Heuse's compartment to run it in a chroot environment c) use the ftpdir package of SuSE which is also in the chrooted environment where vsftd runs

First of all is this overkill ? If not then I do not understand the following

Togan, My understanding of Vsftpd is that it essentially runs chrooted out of the box. I know it has built-in and secure versions of ls, cd, and other common commands so you don't have to set up a /bin or /lib directory under your ftp root. The vsftpd.conf file is well documented. Best Regards, Keith -- LPIC-2, MCSE, N+ Life's the same, except for my shoes Got spam? Get spastic http://spastic.sourceforge.net