Permission and ownership changes

Francesco P. Lovergine frankie at debian.org
Wed Nov 30 13:12:44 UTC 2011


Hi all

due to recent and past comments about the group ownership and access
permissions for proftpd configuration files, and the obvious consideration
that most of the proftpd files could potentially contain passwords
in a form or another (user passwords as well system passwords for accessing
external services) I'm going to provide an upgrade/installation hook
to change the group of proftpd user into a 'proftpd' (instead of current
nogroup) and the default permission into 0640 for all /etc/proftpd files.

That would still allow reading configuration at startup (as root) and the 
proftpd main user to access all auth files such as special passwd/group files,
just by setting the right group permission bit, or by ACL.

Those settings will be more defensive against moron^Wforgetful admins.

Comments?

-- 
Francesco P. Lovergine



More information about the Pkg-proftpd-maintainers mailing list