Alexander E. Patrakov wrote: > Hello, > > the current BLFS instructions for proftpd include the following: > > install_user=proftpd install_group=proftpd \ > ./configure --prefix=/usr --sysconfdir=/etc \ > --localstatedir=/var/run > > This results in the /usr/sbin/proftpd binary owned by the proftpd user. > This is very wrong. Daemon binaries should be owned by root but run as a > user. > > Suppose that someone finds a security hole in proftpd that gives > read-write access outside /home/ftp with the rights of the proftpd user > (i.e., the user for anonymous access). This hole becomes a root hole > then, because the attacker can overwrite /usr/sbin/proftpd and wait for > a server reboot. >
Added to BZ for now: http://blfs-bugs.linuxfromscratch.org/show_bug.cgi?id=1769 -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
