> > 1. Using no ftp -> no chance > > You didn't say but are you using ftp for upload access? Since ftp > sends passwords in the clear it is unsuitable in these days of a > hostile Internet for any purpose other than anonymous downloading. >
I need full access from all clients to their home directory including uploads. I'm aware of the security risks using ftp. But there isn't another option like sftp. ~60 clients with a minimum of knowledge of security risks and technical understanding. It will be a hard and non-profitable way to switch over to sftp or even http. > > 2. Avoid using chroot is in my opinion a bad idea on a public > > accessable ftpd. > > But you are already using ftp. Talking about security at that point > is like putting a heavy duty lock on a screen door. No matter how > good the lock it is still a screen door and won't stop anyone who > wants to run through it. > > > 3. Compiling vsftpd >3.0 from source and using > > allow_writeable_chroot=YES: This would lead in using non Debian > > packages and watching them seperatly. > > Use a Debian watch file. See the 'uscan' program for details. But > you can have it automatically notify you when new versions arrive. > Sounds interessting. I will have a look... > > 4. Using packages from Jessie: My preffered choice. But how to > > control security updates? > > Does the Jessie vsftpd allow writable chroots? Sounds like a bug to > be filed to me. > It is a "problem" of vsftpd. They decided to disable ftp with writable $HOME if chroot is enabled [1], [2]. It's a matter of old versions in Debian. Jessie provides the newer version with the new config setting. Regards [1]: https://security.appspot.com/vsftpd/Changelog.txt (Version 2.3.5) [2]: https://security.appspot.com/vsftpd/FAQ.txt (Q3) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130809072354.ge7...@stubbi.org
