In order to construct a security-based FTP server, vsftpd "Privileges program (privilege)" operating system concepts for the design, if you read the program and resource management section of the Basics, you should know that the implementation of the above systems the program will lead to a program that we call him PID (Process ID), the PID in the system above tasks can be performed with his own permissions. That is, PID has the authority level, the more he was able to multi-task performed. For example, using the root identity triggered PID usually have to carry out any work permission level.
However, if the trigger PID program (program) that have vulnerabilities that result in network cracker (cracker) the attacks achieved this PID use right, then the network will achieve this PID Vendetta has permission na! Therefore, the recent development kit will reduce the PID will try to get permission to service, making the service even accidentally been compromised, the intruder can not get effective system management authority, which would allow our systems more secure it. vsftpd is based on this idea and design.
In addition to the privileges PID aspects, vsftpd chroot This function also supports the function, chroot name suggests is the "change root directory" means, that the root refers to "the root" instead of the system administrator. He can be a particular directory into the root directory, so the directory has no relationship other directories will not be misused.
For example, if you logged in as our anonymous ftp service, then you will usually be defined in / var / ftp directory, and you can see the root directory is actually just / var / ftp, as for other systems such as / etc, / home, / usr ... other directory you can not see it! Thus even if the ftp service is compromised, there is no relationship or only intruder in / var / ftp running around inside of it, but can not use the full functionality of Linux. Natural our system will be more secure it!
vsftpd is based on the above description to design a more secure FTP server software, he has the characteristics of the underlying Oh:
* Vsftpd start the identity service for the general user, so for lower permissions Linux systems, Linux systems for harm reduction on the opposite. In addition, vsftpd also use chroot () function of this change were the root of the action, so that the system will not be vsftpd this tool misuse services;
* Any vsftpd command needs to have a high execute permissions are a special program of the upper (parent process) under the control of the upper program enjoyed a higher authority to perform functions already quite low is limited, and does not affect Linux itself the system shall prevail;
* Most of the ftp command will use the extra functions (dir, ls, cd ...) have been integrated into the main program which vsftpd, so theoretically vsftpd does not require additional instruction to the system, so in the case of the chroot, vsftpd can only operate smoothly and does not require additional functions for the system is also more secure.
* All end and want to use vsftpd higher instruction execution competence of this top program offered by the demand from customers, are considered "untrusted request" to deal with, will need to go through a considerable degree of identification, the party available functions of the upper program. Such as chown (), Login requirements, and so the action;
* In addition, the above-mentioned upper program, still using the chroot () function to restrict user permissions to execute.
With such features, so vsftpd will become relatively safer strategy!