True, I was launching the daemon as user, not root, so the odd behavior happened. If I launch it as root it works well, and yes, the daemon doesn't drop root permissions.
Thanks!! Em quarta-feira, 29 de outubro de 2014, Steven Honeyman < [email protected]> escreveu: > On 29 October 2014 13:35, Felipe de Andrade Neves Lavratti > <[email protected] <javascript:;>> wrote: > > Hello Friends! > > > > When using the command `tcpsvd -vE 0.0.0.0 21 ftpd /files/to/serve` to > start > > a ftpd service, but peers are allowed to CWD to any parent folder of > > `/files/to/serve` in the embedded filesystem. > > Hi, > > I can't get this to happen - can you do a step-by-step of what you > did? ftpd chdirs so in theory this should not be possible (well, not > easily/accidently) > Here's the client output from the server started in the same way as you > did: > > Connected to localhost.localdomain. > 220 Operation successful > Name (localhost.localdomain:steven): > 230 Operation successful > Remote system type is UNIX. > Using binary mode to transfer files. > ftp> ls > 200 Operation successful > 150 Directory listing > -rw-r--r-- 1 1000 1000 0 Oct 29 17:44 this_is_ftp > 226 Operation successful > ftp> ls .. > 200 Operation successful > 150 Directory listing > -rw-r--r-- 1 1000 1000 0 Oct 29 17:44 this_is_ftp > 226 Operation successful > ftp> pwd > 257 "/" > ftp> cd .. > 250 Operation successful > ftp> ls > 200 Operation successful > 150 Directory listing > -rw-r--r-- 1 1000 1000 0 Oct 29 17:44 this_is_ftp > 226 Operation successful > ftp> ls ../../ > 200 Operation successful > 150 Directory listing > -rw-r--r-- 1 1000 1000 0 Oct 29 17:44 this_is_ftp > 226 Operation successful > ftp> ls /usr/bin > 200 Operation successful > 150 Directory listing > 226 Operation successful > ftp> > > > The issue is that I need to protect parent folders from peers, how do you > > suggest I deal with it? > > If security is a concern, I wouldn't use busybox ftpd. I forgot to > check just now, but I don't think it drops root permissions. > > > Thanks, > Steven > -- Skype: felipeanl
_______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
