Maik Stubbe wrote: > I need full access from all clients to their home directory > including uploads. I'm aware of the security risks using ftp. But > there isn't another option like sftp. ~60 clients with a minimum of > knowledge of security risks and technical understanding. It will be > a hard and non-profitable way to switch over to sftp or even http.
To be completely blunt with that constraint I don't know why you worry about proactive security. It is impossible. Sorry. Instead I would set up intrusion monitoring and try to be reactive. Hopefully you will be such a small fish that no one will poke at you and you won't have any problems. But if you do then you can notice with the intrusion detection and react quickly afterward. That might be enough for you. > > > 4. Using packages from Jessie: My preffered choice. But how to > > > control security updates? > > > > Does the Jessie vsftpd allow writable chroots? Sounds like a bug to > > be filed to me. > > It is a "problem" of vsftpd. They decided to disable ftp with > writable $HOME if chroot is enabled [1], [2]. > [1]: https://security.appspot.com/vsftpd/Changelog.txt (Version 2.3.5) > [2]: https://security.appspot.com/vsftpd/FAQ.txt (Q3) Good plan! :-) It looks like they did that in 2.3.4. v2.3.4 - Add stronger checks for the configuration error of running with a writeable root directory inside a chroot(). This may bite people who carelessly turned on chroot_local_user but such is life. Then gave some relief in 2.3.5. v2.3.5 - Add new config setting "allow_writeable_chroot" to help people in a bit of a spot with the v2.3.5 defensive change. Only applies to non-anonymous. Version 2.3.5 is in Wheezy 7 Stable. If you are running Stable then you should already have that feature available to you. Are you running Oldstable Squeeze 6? If so then an upgrade to Stable should fix you right up. > It's a matter of old versions in Debian. Jessie provides the newer > version with the new config setting. If it is a different feature then you could request a backport from Testing to Stable. http://backports.debian.org/ Bob
signature.asc
Description: Digital signature