On 29 October 2014 13:35, Felipe de Andrade Neves Lavratti <[email protected]> wrote: > Hello Friends! > > When using the command `tcpsvd -vE 0.0.0.0 21 ftpd /files/to/serve` to start > a ftpd service, but peers are allowed to CWD to any parent folder of > `/files/to/serve` in the embedded filesystem.
Hi, I can't get this to happen - can you do a step-by-step of what you did? ftpd chdirs so in theory this should not be possible (well, not easily/accidently) Here's the client output from the server started in the same way as you did: Connected to localhost.localdomain. 220 Operation successful Name (localhost.localdomain:steven): 230 Operation successful Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 Operation successful 150 Directory listing -rw-r--r-- 1 1000 1000 0 Oct 29 17:44 this_is_ftp 226 Operation successful ftp> ls .. 200 Operation successful 150 Directory listing -rw-r--r-- 1 1000 1000 0 Oct 29 17:44 this_is_ftp 226 Operation successful ftp> pwd 257 "/" ftp> cd .. 250 Operation successful ftp> ls 200 Operation successful 150 Directory listing -rw-r--r-- 1 1000 1000 0 Oct 29 17:44 this_is_ftp 226 Operation successful ftp> ls ../../ 200 Operation successful 150 Directory listing -rw-r--r-- 1 1000 1000 0 Oct 29 17:44 this_is_ftp 226 Operation successful ftp> ls /usr/bin 200 Operation successful 150 Directory listing 226 Operation successful ftp> > The issue is that I need to protect parent folders from peers, how do you > suggest I deal with it? If security is a concern, I wouldn't use busybox ftpd. I forgot to check just now, but I don't think it drops root permissions. Thanks, Steven _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
