![[F]](/Images/i7/site.gif) TidBITS  TidBITS TidBITS Talk
Problems with FTP on Panther![[LEllerbr]](/webx/?30@@1) LEllerbr (apparently) - 11:51am Sep 13, 2004 PSTvia emailWhen running 10.2 on a G3 and on a G4 FTP worked just fine. I recently
installed 10.2.8 on a G3 (no USB mouse) and 10.3.5 with all updates on a G3
and a G4. FTP makes an initial connection to each server (it is turned on
in sharing), but none of the servers recognize the account ID/Password.
Neither owner nor standard accounts work.
Have I missed something that everyone but me knows about the setup? Can
anyone clue me in to what I need to do to get FTP to work?
All help appreciated!
[Yes, the problem is the most recent security update. In short, use SFTP or read this discussion for solutions. -Adam]
< http://discussions.info.apple.com/webx?128 .689a720d>
L
Dave Walcott
-
Sep 14, 2004 8:39 am
(#1 Total: 7)
|
 |
|
|
|
| Posts: 4 |
Re: Adam's comments on FTP and SFTP
Quoted from Adam's article on Apple's 9-7-04 security update in this weeks TidBITS (9/13/04): "perhaps the best (solution to the new broken FTP issue) is to use this problem as an excuse to switch to SFTP, which eliminates long-standing security problems with FTP." < http://db.tidbits.com/getbits.acgi?tbart=07809> For anyone considering taking this advice and switching to SFTP, it should be noted (as someone metioned in the Apple discussion linked to in the article), that while SFTP does eliminate some security issues, it introduces other, possibly bigger ones. In OS X server, there is no "out of the box" chroot functionality when using FTP over SSH (aka SFTP). This results in ftp (or ssh) users being able to "cd" up out of their home directory, and having a nice view of the entire filesystem, as permissions allow. For some systems this would not be a huge problem, but for many it would, especially in a multi-user hosting environment. Fixing this by hand-crafting a proper chroot environment would be about as fun as it looks here: http://chrootssh.sourceforge.net/docs/chrootedsftp.html
|
|
 | |
schinder (apparently)
-
Sep 15, 2004 8:27 am
(#2 Total: 7)
|
|
|
|
|
| Posts: 115 |
Re: Problems with FTP on Panther
At 8:39 AM -0700 9/14/04, Dave Walcott wrote:
Quoted from Adam's article on Apple's 9-7-04 security update in this
> weeks TidBITS (9/13/04):
>
> "perhaps the best (solution to the new broken FTP issue) is to use
> this problem as an excuse to switch to SFTP, which eliminates
> long-standing security problems with FTP."
>
> < http://db.tidbits.com/getbits.acgi?tbart=07809>
>
> For anyone considering taking this advice and switching to SFTP, it
> should be noted (as someone metioned in the Apple discussion linked
> to in the article), that while SFTP does eliminate some security
> issues, it introduces other, possibly bigger ones.
>
> In OS X server, there is no "out of the box" chroot functionality
> when using FTP over SSH (aka SFTP). This results in ftp (or ssh)
> users being able to "cd" up out of their home directory, and having a
> nice view of the entire filesystem, as permissions allow. For some
> systems this would not be a huge problem, but for many it would,
> especially in a multi-user hosting environment.
Yes, but so far as I know there's no anonymous sftp. So the only
people that have access to the machine via sftp already have access
via ssh to a shell. So they can see the entire file system anyway.
--
Paul Schinder
schinder pobox.com
|
|
| |
Curtis Wilcox (apparently)
-
Sep 21, 2004 7:31 am
(#3 Total: 7)
|
|
|
|
|
| Posts: 357 |
Re: Problems with FTP on Panther
For anyone considering
taking this advice and switching to SFTP, it should be noted (as someone
metioned in the Apple discussion linked to in the article), that while SFTP
does eliminate some security issues, it introduces other, possibly bigger
ones.
In OS X server, there is no "out of the box" chroot
functionality when using FTP over SSH (aka SFTP). This results in ftp (or ssh)
users being able to "cd" up out of their home directory, and having a nice
view of the entire filesystem, as permissions allow. For some systems this
would not be a huge probl! em, but for many it would, especially in a
multi-user hosting environment.
Just
to pick a nit, SFTP is not "FTP over SSH." "FTP over SSH" implies the use of one
or more of the following: ftp server, ftp client or ftp protocol tunneled
over an SSH session. SFTP uses its own service and clients which happen to have
commands similar to those used by FTP.
Browsing the file system isn't that big a risk, at least not out of the
box. Users can't read each other's home directories and world readable system
files are that way because they're not a risk. The risk would come from
administrators or others who are allowed to use space outside the home
directories being careless with the file permissions for sensitive files
they create.
The
biggest potential risk I can think of is users being able to read .php files or
other files that are read but processed by a web server. It's all too common for
web developers to put passwords (to access a mysql database for example) or
other secret information in such files because the web server doesn't normally
deliver that information to clients. This can be mitigated by removing world
readability from such files and making them either owned by the web server's
account or in the web server's default group (on Macs the user and group are
both "www," it's more typical for Apache web servers to use "nobody" as the user
and group).
For
ordinary users, particularly ones that don't/can't use a shell account changing
a file's group membership is problematic but they have their own trick to
prevent fellow users from reading their web documents. By default, all users are
members of the same group (in OS X, this group is "staff"). If you
don't want your fellow users to read files but still need the web
service to read them, just remove read access for the *group*. The web
service isn't a member of the same group users are so it obeys the
permissions for "world" (aka "other"). You're the owner so even though you're a
member of that group, your account obeys the owner permissions. The
command-line way to set this would be "chmod g-r filename" or "chmod 604
filename" but graphical file transfer programs have ways of setting the
file permissions.
|
|
| |
Dave Walcott
-
Sep 21, 2004 7:31 am
(#4 Total: 7)
|
|
|
|
|
| Posts: 4 |
Re: Problems with FTP on Panther
Yes, but so far as I know there's no anonymous sftp. So the only people that have access to the machine via sftp already have access via ssh to a shell. So they can see the entire file system anyway. Yep - that was exactly my point - with regular FTP, there isn't a chroot problem. But - when you tick the "Remote Login" box to enable SFTP and ssh access, that opens up the security issue I mentioned. Users can then peruse the whole filesystem, even seeing some contents of other users home directories (if default permissions are not changed). Notwithstanding access to other users' home folders, this might not be a big problem on some systems. But in a "best practice" scenario, no sys admin I know wants users poking around the /etc or /var directories and other such areas they don't belong. Even if they can't delete or damage things in those areas, they could copy MySQL, NetInfo and other databases, or grab MySQL passwords from sloppily programmed php files, just for example. Whether anonymous or not, it's real easy to enable such access without realizing it, which is why I mentioned it. I'm just hoping Apple builds in a nice "Lock SFTP users into home directories" button in a near-future version.
|
|
| |
Dave Walcott
-
Sep 22, 2004 7:11 am
(#5 Total: 7)
|
|
|
|
|
| Posts: 4 |
Re: Problems with FTP on Panther
[Apologies to the already dead horse] Browsing the file system isn't that big a risk, at least not out of the box. Users can't read each other's home directories... Actually, default permissions for user home directories are 755, so any user actually *can* open anyone else's home directory and look around, out of the box. And, depending on server umask settings (and on whether the user knows to check permissions of all files s/he copies to "home"), that user's files may be read/writable as well. The command-line way to set this would be "chmod g-r filename" or "chmod 604 filename" but graphical file transfer programs have ways of setting the file permissions. This is also not quite correct. Starting with 755 (default) permissions, your first suggestion of "chmod g-r filename" would yield 714, which still allows execution (or opening of folders) by other users. Folks taking your advice would want to use the second, more explicit "chmod 604 filename" (or better yet, "chomd -R 604 /Users/<username>") instead to properly prevent "staff" group members from seeing anything at all. Which all leads me back to my initial point - if you enable SFTP, make sure you really know what you're enabling! Until Apple fixes this, I'd personally opt for un-encrypted FTP logins and chroot'ed users over encrypted FTP logins and users poking around the filesystem.
|
|
| |
sommersb
-
Sep 23, 2004 12:20 pm
(#6 Total: 7)
|
|
|
|
|
| Posts: 2 |
Re: Problems with FTP on Panther
The company VanDyke (http://www.vandyke.com/) makes a commercial SFTP server called VShell that offers chroot limitations as well as other access controls. I have not used VShell on Mac OS X but have used it for Windows and it is a good product.
|
|
| |
atlauren (apparently)
-
Sep 24, 2004 8:00 am
(#7 Total: 7)
|
|
|
|
via email - Practicing random acts of punditry. |
|
|
 |
| Posts: 808 |
Re: Problems with FTP on Panther
At 12:20 PM -0700 9/23/04, sommersb wrote:
>The company VanDyke (http://www.vandyke.com/) makes a commercial
>SFTP server called VShell that offers chroot limitations as well as
>other access controls. I have not used VShell on Mac OS X but have
>used it for Windows and it is a good product.
We've used and bulk-licensed several VanDyke products for years, for
our Windows clients. CRT, SecureCRT, AbsoluteFTP and probably a few
others. Good suff.
I didn't know that they'd expanded into non-Windows platforms. Interesting.
--
Andrew Laurence
atlauren uci.edu
|
|
|
TidBITS TidBITS TidBITS Talk Problems with FTP on Panther
|
|
