Security issue

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
Pilgrim
500 Command not understood
Posts: 5
Joined: 2022-01-26 07:38
First name: Debian
Last name: Twinkle

Security issue

#1 Post by Pilgrim » 2022-01-26 07:52

Hi, please help me solve the problem, I installed FileZilla Server on Debian 11, everything works, but I saw strangeness, all files uploaded to the server by users have an owner and superuser group - root , this is very bad for security, I need the files to have a different owner - www-data how to do it?

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Security issue

#2 Post by botg » 2022-01-26 08:55

You can use impersonation for this. Select "Use system credentials to log in" and check "Use system credentials also for accessing files and directories". Then all files are created with the user and primary group of the logged in user.

You can also change the user/group the service runs under by editing /etc/systemd/system/filezilla-server.service, but in that scenario impersonation cannot be used. Make sure to setcap CAP_NET_BIND_SERVICE on the main executable if you want to have the server listen on privileged ports.

Pilgrim
500 Command not understood
Posts: 5
Joined: 2022-01-26 07:38
First name: Debian
Last name: Twinkle

Re: Security issue

#3 Post by Pilgrim » 2022-01-26 09:16

botg wrote:
2022-01-26 08:55
You can also change the user/group the service runs under by editing /etc/systemd/system/filezilla-server.service, but in that scenario impersonation cannot be used.
Thank you
Please let me know what exactly should be changed in filezilla-server.service ?


[Unit]
Description=A free open source FTP and FTPS Server.
After=network-online.target
Wants=network-online.target

[Service]
ExecStart=/opt/filezilla-server/bin/filezilla-server --config-dir /opt/filezilla-server/etc

[Install]
WantedBy=multi-user.target

Pilgrim
500 Command not understood
Posts: 5
Joined: 2022-01-26 07:38
First name: Debian
Last name: Twinkle

Re: Security issue

#4 Post by Pilgrim » 2022-01-26 09:23

Is it enough to add the following entries to the [Service] series?

User=www-data
Group=www-data

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Security issue

#5 Post by botg » 2022-01-26 10:05

Should be.

Pilgrim
500 Command not understood
Posts: 5
Joined: 2022-01-26 07:38
First name: Debian
Last name: Twinkle

Re: Security issue

#6 Post by Pilgrim » 2022-01-26 18:22

Changes made to filezilla-server.service :

[Unit]
Description=A free open source FTP and FTPS Server.
After=network-online.target
Wants=network-online.target

[Service]
ExecStart=/opt/filezilla-server/bin/filezilla-server --config-dir /opt/filezilla-server/etc
User=www-data
Group=www-data

[Install]
WantedBy=multi-user.target


Changed the owner and group of a directory:

sudo chown -R www-data:www-data /opt/filezilla-server

Filezilla-server starts but throws an error:

~$ sudo /opt/filezilla-server/bin/filezilla-server
2022-01-26T18:07:08.162Z == Setting up TLS for the FTP Server
2022-01-26T18:07:08.163Z == SHA1 certificate fingerprint: a2:0d:8e:cf:25:76:8a:98:7f:14:ed:0b:b1:9b:ca:c6:2c:97:6e:a6
2022-01-26T18:07:08.163Z == SHA256 certificate fingerprint: 51:ce:22:63:54:2d:46:1a:0e:c3:eb:f7:d8:63:91:cb:12:64:f4:db:76:23:66:34:2a:90:42:49:e2:ac:fd:13
2022-01-26T18:07:08.163Z == Setting up TLS for the Administration Server
2022-01-26T18:07:08.163Z == SHA1 certificate fingerprint: a7:32:1e:c4:26:13:9f:c7:87:07:e5:9d:6e:51:91:95:b2:af:4e:d0
2022-01-26T18:07:08.163Z == SHA256 certificate fingerprint: 92:e3:ce:3e:b2:e1:b6:2e:29:f1:76:94:ac:b2:46:ea:0d:6f:09:57:59:bd:5b:bb:d6:06:6e:7a:90:e6:a4:b2
2022-01-26T18:07:08.163Z == [FTP Server] Listening on 0.0.0.0:21 (tls_mode = 0).
2022-01-26T18:07:08.163Z == [FTP Server] Listening on :::21 (tls_mode = 0).
2022-01-26T18:07:08.163Z !! [Administration Server] Couldn't bind on 127.0.0.1:14148. Reason: EADDRINUSE - Local address in use. Retrying in 1 seconds.
2022-01-26T18:07:08.163Z !! [Administration Server] Couldn't bind on ::1:14148. Reason: EADDRINUSE - Local address in use. Retrying in 1 seconds.
2022-01-26T18:07:09.163Z !! [Administration Server] Couldn't bind on 127.0.0.1:14148. Reason: EADDRINUSE - Local address in use. Retrying in 1 seconds.
2022-01-26T18:07:09.163Z !! [Administration Server] Couldn't bind on ::1:14148. Reason: EADDRINUSE - Local address in use. Retrying in 1 seconds.
2022-01-26T18:07:10.163Z !! [Administration Server] Couldn't bind on 127.0.0.1:14148. Reason: EADDRINUSE - Local address in use. Retrying in 1 seconds.
2022-01-26T18:07:10.163Z !! [Administration Server] Couldn't bind on ::1:14148. Reason: EADDRINUSE - Local address in use. Retrying in 1 seconds.
2022-01-26T18:07:11.163Z !! [Administration Server] Couldn't bind on 127.0.0.1:14148. Reason: EADDRINUSE - Local address in use. Retrying in 1 seconds.
2022-01-26T18:07:11.163Z !! [Administration Server] Couldn't bind on ::1:14148. Reason: EADDRINUSE - Local address in use. Retrying in 1 seconds.

What could be the problem? :?

Pilgrim
500 Command not understood
Posts: 5
Joined: 2022-01-26 07:38
First name: Debian
Last name: Twinkle

Re: Security issue

#7 Post by Pilgrim » 2022-01-26 22:01

Nevermind, I think I managed to solve my issue.
And ignore that previous log, that was just a mistake and unrelated.
After changing the user and group to a different user, filezilla was unable to bind the port:
Couldn't bind on IP:21 Reason: EACCES - Permission denied
I managed to solve this by adding this line to the [Service] section of filezilla's service:
AmbientCapabilities=CAP_NET_BIND_SERVICE

so in the end it looked liked this
[Service]
ExecStart=/opt/filezilla-server/bin/filezilla-server --config-dir /opt/filezilla-server/etc
User=www-data
Group=www-data
AmbientCapabilities=CAP_NET_BIND_SERVICE

After saving, reloading daemon and restarting the service, it all works now. Thanks for all your help. :D

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Security issue

#8 Post by botg » 2022-01-27 08:38

I managed to solve this by adding this line to the [Service] section of filezilla's service:
AmbientCapabilities=CAP_NET_BIND_SERVICE
Interesting. Didn't know this nifty option yet.

Post Reply