[Bug 1769] New: proftpd instructions

blfs-bugs at linuxfromscratch.org blfs-bugs at linuxfromscratch.org
Sun Jan 1 15:09:34 PST 2006


http://blfs-bugs.linuxfromscratch.org/show_bug.cgi?id=1769

           Summary: proftpd instructions
           Product: Beyond LinuxFromScratch
           Version: a-SVN
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: BOOK
        AssignedTo: blfs-book at linuxfromscratch.org
        ReportedBy: bdubbs at linuxfromscratch.org
         QAContact: blfs-book at linuxfromscratch.org


>From Alexander E. Patrakov:

the current BLFS instructions for proftpd include the following:

install_user=proftpd install_group=proftpd \
    ./configure --prefix=/usr --sysconfdir=/etc \
    --localstatedir=/var/run

This results in the /usr/sbin/proftpd binary owned by the proftpd user. This is
very wrong. Daemon binaries should be owned by root but run as a user.

Suppose that someone finds a security hole in proftpd that gives read-write
access outside /home/ftp with the rights of the proftpd user (i.e., the user for
anonymous access). This hole becomes a root hole then, because the attacker can
overwrite /usr/sbin/proftpd and wait for a server reboot.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are the QA contact for the bug, or are watching the QA contact.



More information about the blfs-book mailing list