ftpd access to parent foders is allowed by peers
Steven Honeyman
stevenhoneyman at gmail.com
Wed Oct 29 17:55:34 UTC 2014
On 29 October 2014 13:35, Felipe de Andrade Neves Lavratti
<felipelav at gmail.com> wrote:
> Hello Friends!
>
> When using the command `tcpsvd -vE 0.0.0.0 21 ftpd /files/to/serve` to start
> a ftpd service, but peers are allowed to CWD to any parent folder of
> `/files/to/serve` in the embedded filesystem.
Hi,
I can't get this to happen - can you do a step-by-step of what you
did? ftpd chdirs so in theory this should not be possible (well, not
easily/accidently)
Here's the client output from the server started in the same way as you did:
Connected to localhost.localdomain.
220 Operation successful
Name (localhost.localdomain:steven):
230 Operation successful
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 Operation successful
150 Directory listing
-rw-r--r-- 1 1000 1000 0 Oct 29 17:44 this_is_ftp
226 Operation successful
ftp> ls ..
200 Operation successful
150 Directory listing
-rw-r--r-- 1 1000 1000 0 Oct 29 17:44 this_is_ftp
226 Operation successful
ftp> pwd
257 "/"
ftp> cd ..
250 Operation successful
ftp> ls
200 Operation successful
150 Directory listing
-rw-r--r-- 1 1000 1000 0 Oct 29 17:44 this_is_ftp
226 Operation successful
ftp> ls ../../
200 Operation successful
150 Directory listing
-rw-r--r-- 1 1000 1000 0 Oct 29 17:44 this_is_ftp
226 Operation successful
ftp> ls /usr/bin
200 Operation successful
150 Directory listing
226 Operation successful
ftp>
> The issue is that I need to protect parent folders from peers, how do you
> suggest I deal with it?
If security is a concern, I wouldn't use busybox ftpd. I forgot to
check just now, but I don't think it drops root permissions.
Thanks,
Steven
More information about the busybox
mailing list