File: ftp-proxy-4.html

package info (click to toggle)
proxy-suite 1.9.2.4-1
  • links: PTS
  • area: main
  • in suites: sarge
  • size: 1,420 kB
  • ctags: 436
  • sloc: ansic: 6,530; sh: 2,955; makefile: 341
file content (63 lines) | stat: -rw-r--r-- 2,676 bytes parent folder | download | duplicates (7) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
 <TITLE>The FTP-Proxy White Paper: Local System Security</TITLE>
 <LINK HREF="ftp-proxy-5.html" REL=next>
 <LINK HREF="ftp-proxy-3.html" REL=previous>
 <LINK HREF="ftp-proxy.html#toc4" REL=contents>
</HEAD>
<BODY>
<A HREF="ftp-proxy-5.html">Next</A>
<A HREF="ftp-proxy-3.html">Previous</A>
<A HREF="ftp-proxy.html#toc4">Contents</A>
<HR>
<H2><A NAME="security"></A> <A NAME="s4">4. Local System Security</A></H2>

<P>FTP-Proxy comes with several configuration features that help
to increase local system security, namely <CODE>ServerRoot</CODE>,
<CODE>User</CODE> and <CODE>Group</CODE>.
<P>
<P>The way FTP-Proxy is being called needs to be considered.  One
possible way is via the system's inetd (or xinetd) Internet Super
Daemon.  In this case FTP-Proxy will not fork or become a daemon.
It will serve the client and terminate itself after delivery.
When configuring (x)inetd to include the ftp-proxy executable,
<CODE>ServerRoot</CODE> (chroot) should be used.
The <CODE>User</CODE> and <CODE>Group</CODE> need not be given if they
are specified in the inetd configuration itself.
<P>
<P>The <CODE>User</CODE> and <CODE>Group</CODE> options should actually be
considered for standalone operations. In this case the ftp-proxy
will bind the listening socket to the port number set using the
<CODE>Port</CODE> and <CODE>Listen</CODE> options, preform the chroot
operation if <CODE>ServerRoot</CODE> is used, drop privileges to
the UID/GID set with <CODE>User</CODE> and <CODE>Group</CODE> options
and open log.
<P>
<P>It might be a good idea to create a new user (e.g. "ftpproxy")
as well as a group (e.g. "ftpproxy") in order to reach a better
granularity for the user administration.
<P>
<P>When using <CODE>ServerRoot</CODE>, please note that usually other
files needs to be installed into the runtime environment as well,
e.g. the /dev/null device, system databases like /etc/services,
/etc/hosts, libraries like libc and possibly other (e.g. libcrypt
under AIX 4.3, a resolver library like libresolv or libnss
libraries on systems using the NameServiceSwitch - see also
nsswitch.conf(5)).
If you are using the <CODE>User</CODE> and <CODE>Group</CODE> options,
you may also need the /etc/passwd and /etc/group files.
<P>
<P>The sample run level script <CODE>rc.script</CODE> for (SuSE)
Linux supports the preparation of a chroot runtime
environment - see description in <CODE>rc.script.txt</CODE>.
<P>
<P>
<P>
<HR>
<A HREF="ftp-proxy-5.html">Next</A>
<A HREF="ftp-proxy-3.html">Previous</A>
<A HREF="ftp-proxy.html#toc4">Contents</A>
</BODY>
</HTML>