proftpd instructions

[bdubbs@…]

From Alexander E. Patrakov:

the current BLFS instructions for proftpd include the following:

install_user=proftpd install_group=proftpd \

./configure --prefix=/usr --sysconfdir=/etc \ --localstatedir=/var/run

This results in the /usr/sbin/proftpd binary owned by the proftpd user. This is very wrong. Daemon binaries should be owned by root but run as a user.

Suppose that someone finds a security hole in proftpd that gives read-write access outside /home/ftp with the rights of the proftpd user (i.e., the user for anonymous access). This hole becomes a root hole then, because the attacker can overwrite /usr/sbin/proftpd and wait for a server reboot.