ftpd access to parent foders is allowed by peers

[Steven Honeyman]

On 29 October 2014 13:35, Felipe de Andrade Neves Lavratti
<felipelav at gmail.com> wrote:
> Hello Friends!
>
> When using the command `tcpsvd -vE 0.0.0.0 21 ftpd /files/to/serve` to start
> a ftpd service, but peers are allowed to CWD to any parent folder of
> `/files/to/serve` in the embedded filesystem.

Hi,

I can't get this to happen - can you do a step-by-step of what you
did? ftpd chdirs so in theory this should not be possible (well, not
easily/accidently)
Here's the client output from the server started in the same way as you did:

Connected to localhost.localdomain.
220 Operation successful
Name (localhost.localdomain:steven):
230 Operation successful
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 Operation successful
150 Directory listing
-rw-r--r--    1 1000     1000             0 Oct 29 17:44 this_is_ftp
226 Operation successful
ftp> ls ..
200 Operation successful
150 Directory listing
-rw-r--r--    1 1000     1000             0 Oct 29 17:44 this_is_ftp
226 Operation successful
ftp> pwd
257 "/"
ftp> cd ..
250 Operation successful
ftp> ls
200 Operation successful
150 Directory listing
-rw-r--r--    1 1000     1000             0 Oct 29 17:44 this_is_ftp
226 Operation successful
ftp> ls ../../
200 Operation successful
150 Directory listing
-rw-r--r--    1 1000     1000             0 Oct 29 17:44 this_is_ftp
226 Operation successful
ftp> ls /usr/bin
200 Operation successful
150 Directory listing
226 Operation successful
ftp>

> The issue is that I need to protect parent folders from peers, how do you
> suggest I deal with it?

If security is a concern, I wouldn't use busybox ftpd. I forgot to
check just now, but I don't think it drops root permissions.


Thanks,
Steven