Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > macOS > FTP Security issues

FTP Security issues
Thread Tools
macupdate
Fresh-Faced Recruit
Join Date: Sep 1999
Status: Offline
Reply With Quote
May 31, 2001, 11:23 AM
 
It seems that with Mac OS X Server 10.0.3, regular users are able to log into their FTP account and then navigate manually up and around to other user's directories. They can only view them and not modify them, however this is still a security problem.

I've followed steps to create a file at: /etc called "ftpchroot" listing the names of users that you want to be restricted only to their user directory, however it doesn't work.

Are there any other ideas on how to restrict FTP users fromt being able to see other users' directories and files?
     
utidjian
Senior User
Join Date: Jan 2001
Location: Mahwah, NJ USA
Status: Offline
Reply With Quote
Jun 1, 2001, 11:45 AM
 
First off... I would strongly recommned that you do not allow regular users ANY ftp access if your server is connected to anything but a totally trusted network (does such a thing exist?). This is because any old script kiddie with a network sniffer can snag their userid and password because regular ftp sends these as plaintext. The only acceptable use I can see for regular ftp is if it is setup for anonymous ftp only. Even then....

A much better solution is to turn off ftp altogether and use scp instead which encrypts the entire session. You could leave a message in /etc/motd or /etc/ftpwelcome that explains this then exits. You should also turn off regular telnet for the same reasons and use ssh instead. All of this is available from http://www.openssh.com

With that said... if you still insist on risking the integrity of your users data and your server... you will need to add a user called 'ftp'. If you check the manpage for ftpd (man ftpd) you will see that they explain all this in the sections for ftpchroot and anonymous (4. and 5.). Use chpass (man chpass) to add the ftp user. Set up the anonymous (ftp) users directories as explained in the manpage.

One other thing... when you make changes to various services you should restart the service in order for it to take effect. The ftpd service is controlled by inetd. inetd is configured in /etc/inetd.conf. To restart the inetd service do this (as root):

root# /etc/startup/1700_IPServices

That should restart all inetd controlled services.

Again I recommend that you disable ftp completely. You can do this by commenting out the line in for ftpd in /etc/inetd.conf and restarting the service. You should also take a careful look at /etc/inetd.conf and comment out any services that you do not need. I comment out everything.

-DU-...etc...

[This message has been edited by utidjian (edited 06-01-2001).]
-DU-...etc...
     
utidjian
Senior User
Join Date: Jan 2001
Location: Mahwah, NJ USA
Status: Offline
Reply With Quote
Jun 4, 2001, 03:00 PM
 
Macupdate and I took some of the discussion on this topic offline but I think that some of it may be of interest to some of the readers here. I am including in this post some our offline discussion. By mutual agreement I have edited out certain sensitive information.

[begin offline discussion 1]


Joel Mueller wrote:
>
> Thanks for your posting on MacNN's boards about FTP security with OSX. I
> was wondering why all of the major hosting providers user FTP access for
> their clients to maintain their sites if FTP is so insecure?

Good question! Mainly it is because that is all most client software can
handle. When people use FrontPage, Adobe GoLive, or NS Composer (to name
a few) they are not given the choice to use a more secure channel for
uploading their data to the server. I can only imagine that this is
because most major hosting sites have not caught up with the times.
Using scp is only slightly more difficult than using ftp yet it is a
little different. Customers (users/clients) HATE changes and ANY
difference in what they are used to. Web hosting service providers would
have a very large increase in support costs... due to the changes they
would have to make.

I imagine the simplest thing would be to allow users to upload their
data using SSL. I don't know if any of the popular web page editors
include, or can make use of, this functionality.

If a client uploads their webpage data in an insecure way then their
whole website is insecure... even if they use SSL on their website. All
it takes is an interested cracker to sniff teh userid and password as it
drifts over the internet in cleartext.

[deletia]

There are many things that an admin can do to make a site more secure
for the users. The bare minimum is to totally disable ftp and telnet. In
short, disable anything that allows a user to access the site with a
cleartext userid and password. I think that most web hosting services
really don't care about security all that much... they may pay lip
service to it but they do very little about it. They rely on buzzwords
(firewall, SSL, etc) but none of this will help assure the integrity of
a customers data if they are allowed to use any service that allows
cleartext userid and passwords. I suppose it can get them "off the hook"
in some situations because if they do use all secure channels and then
if they are compromised they may have some explaining to do.

I think we should discuss this on the forum, don't you? With your
permission I will post your email and my reply.

-DU-...etc...

[end offline discussion 1]

[begin offline discussion 2]
[some stuff edited]

David Utidjian wrote:
All of this is a hassle and/or costs something in time/money BUT when
compared to the cost of repairing a compromised system it is trivial. I
work in an academic environment where some of my users have their lifes
work on my servers, some just have a semesters work, some have a weeks
work, some a days... I have to take the integrity of that data
seriously. I have to take it seriously as the admin of the system or
nobody else will... the users certainly don't... until their data goes
missing or is altered. I have, I believe, a very good backup strategy...
the network security helps me avoid having to restore hundreds of
gigabytes of data from backups... which will take some time.

Unfortunately I had to learn the hard way by being cracked a few times.
Those were a very expensive lessons.

I think, for the most part, that Macs are not all that interesting to
crackers except for the occasional student who has nothing better to do.
Not that many major sites are run on it and the data on most Macs is not
all that interesting. Linux on the desktop is the same way. However,
there is a tremendous amount being served from Linux servers, more every
day, for some of the major websites on the internet. The average Linux
box (desktop or server) also makes an excellent platform to launch other
attacks at any kind of system.

[ end of offline discussion 2]

[ 06-04-2001: Message edited by: utidjian ]
-DU-...etc...
     
   
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 06:29 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,