ftpd access to parent foders is allowed by peers

Felipe de Andrade Neves Lavratti felipelav at gmail.com
Wed Oct 29 18:25:41 UTC 2014 

True, I was launching the daemon as user, not root, so the odd behavior
happened. If I launch it as root it works well, and yes, the daemon doesn't
drop root permissions.

Thanks!!

Em quarta-feira, 29 de outubro de 2014, Steven Honeyman <
stevenhoneyman at gmail.com> escreveu:

> On 29 October 2014 13:35, Felipe de Andrade Neves Lavratti
> <felipelav at gmail.com <javascript:;>> wrote:
> > Hello Friends!
> >
> > When using the command `tcpsvd -vE 0.0.0.0 21 ftpd /files/to/serve` to
> start
> > a ftpd service, but peers are allowed to CWD to any parent folder of
> > `/files/to/serve` in the embedded filesystem.
>
> Hi,
>
> I can't get this to happen - can you do a step-by-step of what you
> did? ftpd chdirs so in theory this should not be possible (well, not
> easily/accidently)
> Here's the client output from the server started in the same way as you
> did:
>
> Connected to localhost.localdomain.
> 220 Operation successful
> Name (localhost.localdomain:steven):
> 230 Operation successful
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 200 Operation successful
> 150 Directory listing
> -rw-r--r--    1 1000     1000             0 Oct 29 17:44 this_is_ftp
> 226 Operation successful
> ftp> ls ..
> 200 Operation successful
> 150 Directory listing
> -rw-r--r--    1 1000     1000             0 Oct 29 17:44 this_is_ftp
> 226 Operation successful
> ftp> pwd
> 257 "/"
> ftp> cd ..
> 250 Operation successful
> ftp> ls
> 200 Operation successful
> 150 Directory listing
> -rw-r--r--    1 1000     1000             0 Oct 29 17:44 this_is_ftp
> 226 Operation successful
> ftp> ls ../../
> 200 Operation successful
> 150 Directory listing
> -rw-r--r--    1 1000     1000             0 Oct 29 17:44 this_is_ftp
> 226 Operation successful
> ftp> ls /usr/bin
> 200 Operation successful
> 150 Directory listing
> 226 Operation successful
> ftp>
>
> > The issue is that I need to protect parent folders from peers, how do you
> > suggest I deal with it?
>
> If security is a concern, I wouldn't use busybox ftpd. I forgot to
> check just now, but I don't think it drops root permissions.
>
>
> Thanks,
> Steven
>


-- 
Skype: felipeanl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20141029/4ee24fa5/attachment.html>

More information about the busybox mailing list