FileZilla Forums

Welcome to the official discussion forums for FileZilla
https://forum.filezilla-project.org/

Security issue

https://forum.filezilla-project.org/viewtopic.php?f=6&t=54457

Page 1 of 1

Security issue

Posted: 2022-01-26 07:52
by Pilgrim
Hi, please help me solve the problem, I installed FileZilla Server on Debian 11, everything works, but I saw strangeness, all files uploaded to the server by users have an owner and superuser group - root , this is very bad for security, I need the files to have a different owner - www-data how to do it?

Re: Security issue

Posted: 2022-01-26 08:55
by botg
You can use impersonation for this. Select "Use system credentials to log in" and check "Use system credentials also for accessing files and directories". Then all files are created with the user and primary group of the logged in user.

You can also change the user/group the service runs under by editing /etc/systemd/system/filezilla-server.service, but in that scenario impersonation cannot be used. Make sure to setcap CAP_NET_BIND_SERVICE on the main executable if you want to have the server listen on privileged ports.

Re: Security issue

Posted: 2022-01-26 09:16
by Pilgrim
botg wrote:
2022-01-26 08:55
 You can also change the user/group the service runs under by editing /etc/systemd/system/filezilla-server.service, but in that scenario impersonation cannot be used.
Thank you
Please let me know what exactly should be changed in filezilla-server.service ?


[Unit]
Description=A free open source FTP and FTPS Server.
After=network-online.target
Wants=network-online.target

[Service]
ExecStart=/opt/filezilla-server/bin/filezilla-server --config-dir /opt/filezilla-server/etc

[Install]
WantedBy=multi-user.target

Re: Security issue

Posted: 2022-01-26 09:23
by Pilgrim
Is it enough to add the following entries to the [Service] series?

User=www-data
Group=www-data

Re: Security issue

Posted: 2022-01-26 10:05
by botg
Should be.

Re: Security issue

Posted: 2022-01-26 18:22
by Pilgrim
Changes made to filezilla-server.service :

[Unit]
Description=A free open source FTP and FTPS Server.
After=network-online.target
Wants=network-online.target

[Service]
ExecStart=/opt/filezilla-server/bin/filezilla-server --config-dir /opt/filezilla-server/etc
User=www-data
Group=www-data

[Install]
WantedBy=multi-user.target


Changed the owner and group of a directory:

sudo chown -R www-data:www-data /opt/filezilla-server

Filezilla-server starts but throws an error:

~$ sudo /opt/filezilla-server/bin/filezilla-server
2022-01-26T18:07:08.162Z == Setting up TLS for the FTP Server
2022-01-26T18:07:08.163Z == SHA1 certificate fingerprint: a2:0d:8e:cf:25:76:8a:98:7f:14:ed:0b:b1:9b:ca:c6:2c:97:6e:a6
2022-01-26T18:07:08.163Z == SHA256 certificate fingerprint: 51:ce:22:63:54:2d:46:1a:0e:c3:eb:f7:d8:63:91:cb:12:64:f4:db:76:23:66:34:2a:90:42:49:e2:ac:fd:13
2022-01-26T18:07:08.163Z == Setting up TLS for the Administration Server
2022-01-26T18:07:08.163Z == SHA1 certificate fingerprint: a7:32:1e:c4:26:13:9f:c7:87:07:e5:9d:6e:51:91:95:b2:af:4e:d0
2022-01-26T18:07:08.163Z == SHA256 certificate fingerprint: 92:e3:ce:3e:b2:e1:b6:2e:29:f1:76:94:ac:b2:46:ea:0d:6f:09:57:59:bd:5b:bb:d6:06:6e:7a:90:e6:a4:b2
2022-01-26T18:07:08.163Z == [FTP Server] Listening on 0.0.0.0:21 (tls_mode = 0).
2022-01-26T18:07:08.163Z == [FTP Server] Listening on :::21 (tls_mode = 0).
2022-01-26T18:07:08.163Z !! [Administration Server] Couldn't bind on 127.0.0.1:14148. Reason: EADDRINUSE - Local address in use. Retrying in 1 seconds.
2022-01-26T18:07:08.163Z !! [Administration Server] Couldn't bind on ::1:14148. Reason: EADDRINUSE - Local address in use. Retrying in 1 seconds.
2022-01-26T18:07:09.163Z !! [Administration Server] Couldn't bind on 127.0.0.1:14148. Reason: EADDRINUSE - Local address in use. Retrying in 1 seconds.
2022-01-26T18:07:09.163Z !! [Administration Server] Couldn't bind on ::1:14148. Reason: EADDRINUSE - Local address in use. Retrying in 1 seconds.
2022-01-26T18:07:10.163Z !! [Administration Server] Couldn't bind on 127.0.0.1:14148. Reason: EADDRINUSE - Local address in use. Retrying in 1 seconds.
2022-01-26T18:07:10.163Z !! [Administration Server] Couldn't bind on ::1:14148. Reason: EADDRINUSE - Local address in use. Retrying in 1 seconds.
2022-01-26T18:07:11.163Z !! [Administration Server] Couldn't bind on 127.0.0.1:14148. Reason: EADDRINUSE - Local address in use. Retrying in 1 seconds.
2022-01-26T18:07:11.163Z !! [Administration Server] Couldn't bind on ::1:14148. Reason: EADDRINUSE - Local address in use. Retrying in 1 seconds.

What could be the problem? :?

Re: Security issue

Posted: 2022-01-26 22:01
by Pilgrim
Nevermind, I think I managed to solve my issue.
And ignore that previous log, that was just a mistake and unrelated.
After changing the user and group to a different user, filezilla was unable to bind the port:
Couldn't bind on IP:21 Reason: EACCES - Permission denied
I managed to solve this by adding this line to the [Service] section of filezilla's service:
AmbientCapabilities=CAP_NET_BIND_SERVICE

so in the end it looked liked this
[Service]
ExecStart=/opt/filezilla-server/bin/filezilla-server --config-dir /opt/filezilla-server/etc
User=www-data
Group=www-data
AmbientCapabilities=CAP_NET_BIND_SERVICE

After saving, reloading daemon and restarting the service, it all works now. Thanks for all your help. :D

Re: Security issue

Posted: 2022-01-27 08:38
by botg
I managed to solve this by adding this line to the [Service] section of filezilla's service:
AmbientCapabilities=CAP_NET_BIND_SERVICE
Interesting. Didn't know this nifty option yet.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited