VSFTPD-Linux Enterprise Application-Linux server application information. Where is VSFTPD secure?
To build a secure FTP server, vsftpd is designed based on the operating system's "privilege" concept. If you have read the BASIC Program and Resource Management chapter, you should know that the Program executed on the system will trigger a program. We call it PID (Process ID ), the tasks that this PID can perform on the system are related to its permissions. That is to say, the higher the PID's permission level, the more tasks it can perform. For example, the PID triggered by the root identity usually has the permission level for any work.
However, if the program that triggers this PID has a vulnerability and is attacked by a network hacker (cracker, so the network Geeks will obtain the permissions of this PID? ? Yu ?? What is the accuracy of tailou milk? Ji Chen × Kang Mu ?? Loop> Mei PID permission is reduced, so that even if the service is accidentally infiltrated, intruders cannot obtain effective system management permissions, which will make our system safer. Vsftpd is designed based on this idea.
In addition to PID permissions, vsftpd also supports the chroot function. As the name suggests, chroot means "change root directory, the root refers to the "root directory" instead of the system administrator. It can change a specific directory to the root directory, so other directories that are irrelevant to the directory will not be misused.
For example, if you log on to our ftp service anonymously, you will usually be limited to work under the/var/ftp directory, the root directory you see is only/var/ftp. For other systems such as/etc,/home,/usr... you won't be able to see other directories! In this way, even if the ftp service is broken, it does not matter. Intruders can only run in/var/ftp, but cannot use the complete functions of Linux. Naturally, our system will be safer!
Vsftpd is a relatively secure FTP server software designed based on the above instructions. It has the following features:
* The startup identity of vsftpd is a common user. Therefore, the Linux system has a low permission, which reduces the harm to the Linux system. In addition, vsftpd uses the chroot () function to change the root directory so that the system tool will not be misused by the vsftpd service;
* Any vsftpd commands that require high execution permissions are controlled by a special upper-Layer Program (parent process, the upper-Layer Program has relatively low execution permission and does not affect the Linux system;
* The additional commands (dir, ls, cd...) used by most ftp ...) vsftpd has been integrated into the main program of vsftpd. Therefore, in theory, vsftpd does not need to use the commands provided by the additional system. Therefore, in the case of chroot, vsftpd not only works smoothly, it is safe for the system to have no additional features.
* All vsftpd commands from clients that require high execution permissions provided by the upper-Layer Program are considered as untrusted requirements, you must have a considerable degree of identity before you can use the functions of the Upper-Layer Program. For example, chown (), Login requirements, and so on;
* In addition, the upper-layer program mentioned above still uses the chroot () function to restrict the execution permissions of users.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
