Date: Wed, 6 Aug 2008 11:38:40 -0400 From: John Almberg <jalmberg@identry.com> To: freebsd-questions@freebsd.org Subject: Re: Controlling read access Message-ID: <8722E123-56D1-4CA0-8F57-DB0FB299EBD3@identry.com> In-Reply-To: <3A0AA7018522134597ED63B3B794C92A028ECB61@STA-HQ-S001.starcomms.local> References: <26259A11-0CE7-43FB-878C-1A989C1EB006@identry.com> <3A0AA7018522134597ED63B3B794C92A0284D829@STA-HQ-S001.starcomms.local> <E8A4465F-0D48-46F9-A5ED-B56E65BF05EB@identry.com> <3A0AA7018522134597ED63B3B794C92A028ECB61@STA-HQ-S001.starcomms.local>
next in thread | previous in thread | raw e-mail | index | archive | help
> Hello John, > > There are some things that you can try. > > What if you connect from localhost and transfer files, is it still > very > slow? > Try to disable TLS/SSL and see if this improve performance. > Increase debug level and check the log for any errors. Well, I am learning lots about FTP :-) I didn't realize that FTP uses extra ports for data channels (yes, I am a newbie). I use the PF firewall, which of course was blocking the needed ports. Once I opened them, the connections worked perfectly. I also moved the control port from 21 to a higher port, and disabled insecure FTP connections, requiring TLS/SSL for login. I also added pureftpd-enable="YES" to rc.conf, so I can start it up with /usr/local/etc/rc.d/pure-ftpd restart. So far, so good (newbie pats himself on back.) :-) Now I have just one major league problem: when I logged in as one of the users, to test the connections, I discovered that I had SUPER POWERS. I was able to delete any file that I could see, including ones that were owned by root. Digging uncovered the fact that pure- ftpd runs with root privileges... not so good for my situation. My guess is I need to compile with the --with-privsep switch turned on... So, finally I have a real FreeBSD question! What is the proper way, in ports, to set a configuration flag? The only way I could figure out was to add it to the Makefile. PRIVSEP "Enable privilege separation" on \ If this is the correct way to turn this compile switch on, it doesn't seem to work. After running: make deinstall make config # checking the privilage separation box make reinstall The logged in user can still delete any file, regardless of permissions or ownership. This is clearly a problem... I don't want my users to be able to blow away their own websites while they are uploading some images. I am still digging for info on this problem. Any thoughts, much appreciated! -- John
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8722E123-56D1-4CA0-8F57-DB0FB299EBD3>