Link to home
Start Free TrialLog in
Avatar of ParadyneDesigns
ParadyneDesigns

asked on

FTP upload security

Hi everyone.  I need to create an FTP upload facility for people using my website.  I only wish for them to upload text files which will then be copied to the correct area on my website to be processed.

What I need to know is if setting the FTP directory to CHMOD 666 would be enough to stop people uploading and executing malicious code.  I believe there is no way to theoretically stop people uploading anything they wish as they could upload it with a .txt filename and change once uploaded.

I can run a Cron Script that deletes unwanted files every few minutes, but that may give them long enough to upload and execute something on my server that is unwanted.  I do not want to have a Cron running every minute because of the additional server load.

So, would making the directory none executable be enough, although I imagine they could just CHMOD the files they uploaded to executable.

Google offers a service like the one I wish to use on uploads.google.com via their google products facility.  How do they do this and maintain security.

Some of the files that could be uploaded would far exceed the server limit of 8mb so I cannot offer this via a HTML form upload.

Does anyone have any ideas how to create an FTP upload system that is secure and wont compromise my server.

Many thanks

Steve
Avatar of ravenpl
ravenpl
Flag of Poland image

> Google offers a service like the one I wish to use on uploads.google.com via their google products facility.  How do they do this and maintain security.
Good question ;)

> I only wish for them to upload text files which will then be copied
Can You verify content of such file before copying? If it's undesired, then simply delete instead of copying. You can either use Your own check-script or use linux' file utility
file /etc/passwd
man file

> I believe there is no way to theoretically stop people uploading anything they wish as they could upload it with a .txt filename and change once uploaded.
You can deny rename operation via ftp, but then linux does not care about file exts.

> So, would making the directory none executable be enough
if directory is not executeable, then one can;'t enter it - therefore can't upload. To save file to dir the has to be at least -wx for the writer.

> although I imagine they could just CHMOD the files they uploaded to executable.
Again, ftp server may deny such operation.

> Does anyone have any ideas how to create an FTP upload system that is secure and wont compromise my server.
Try give mode details on how You imagine the whole process should work like.
ASKER CERTIFIED SOLUTION
Avatar of ygoutham
ygoutham
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ParadyneDesigns
ParadyneDesigns

ASKER

Hi again.

Both answers are extremely helpful and I am very interested in the part 4 answer of ygoutham's reply.  Is there anywhere that I can find more info on adding a chroot jail and changing ftp settings.  Curently I do all my server admin via cpanel and I am assuming changes like these need to be done directly to a file on my server.

I am relieved and assured by the final comment that malicious file executions via ftp is indeed unlikely.
I have done some research now on FTP and what the commands are but I am still at a loss as to how to implement section 4 of ygoutham's reply.

If someone could let me know which file on my server/account I need to modify to achieve the exact specifications mention in section 4 of the above reply, then I could certainly allocate points and close this task.

What I need is an ftp usergroup that has limit functions, implementation of a chroot jail and a no login shell.  That sounds absolutely perfect but I have no idea what file or what commands I need to add to make any of this possible.

Cheers
For the record, my server is running pure-ftpd (but I can switch to proftpd).

I have been looking at my pure_ftpd.conf as I imagine this is the file that I will need to modify.  However, surely modifying this file will effect the operation of all ftp on the server when I just want it to modify the operation of the ftp on one of my accounts.
when you add users you can specify a no login for them

useradd -s /bin/false -r /some/home/directory   -g ftp_user_group_here SOME_USER_NAME

this adds a user without any login functionality and belonging only to the ftp_user_group_here

http://www.howtoforge.com/pureftpd_mysql_virtual_hosting_p2

this page gives information on the chroot jail part.
#### quote from page ####
Then create the file /etc/pure-ftpd/conf/ChrootEveryone which simply contains the string yes:
#### end quote ####
Hi again

I still have problems with this.  Firstly, I want the users to be created via php so I am not sure how that useradd command will work in this scenario.  I will have an area on my site that says "create FTP" with a box for username and password.

The how to forge page was interesting but I am not sure relevant in my case.  I have a dedicated server and my etc/pure-ftpd directory does not contain a /db directory or a /conf directory.  I just a have a list of IP addresses as links (which when clicked on take me to the public_ftp folder for that account).  I also have no database table that contains records of ftp users.

At the end of the day all I am really trying to achieve is allowing my users to upload a text file that could be up to 20mb in size.  Preferably it would be via a form on the website where they can upload, but it seems that php is incapable of not timing out or handling anything over 8mb.

I tried creating a flash upload system but the fact I would need to pass sensitive data using a GET command (i.e. using actionscript) ended that idea.

I am sure your solution is perfectly feasible, just I do not understand how to implement this on my server and for the life of me I cannot find any "how to" pages on the internet regarding the basics of FTP servers and the pure ftpd website is a complete waste of space.
I have flicked over to proftpd which seems much much easier to work with.  I can see the group, I can see where the users are being stored and I can see how to add users.

The proftpd.conf file is also far easier to understand as it seperates each virtual host so that I can add my more protected approach only to this domain and not effect the other accounts.

Now I can see how this all works and how it all fits into the scope of my project I am definitely happy to accept solutions.

Many thanks
Can anyone address these concerns as applies to vsftpd?
as it applies to VSFTPD???

VSFTP does not let the executable bit to be set.  it can at best be a rw-rw-rw- permission only.  I still do not understand the remote execution through the FTP route.  What exactly are the concerns that you would like to get addressed?

Goutham
If i understand it correctly, the file upload size can be set in the php.ini file in /etc/ directory.  that can be used to upload larger chunks of data (say 30 MB or so) assuming that the internet connection is capable enough of uploading the same within the timeout window specified.  

The very same php can be used to set the permissions on the file, move it to an appropriate directory, etc.  is that the concern that you are asking about?

G