Next Previous Contents

2. Security

  1. The server can accept anonymous connections only. The servers does not ask a user to send his password.
  2. The server does not switch the user context. It does not require to run as root. You can select any suitable account for the FTP server.
  3. The server does not introduce any new security mechanism. It uses the operating system to control access to file system. We consider an introduction of a new security mechanism as dangerous because it is not integrated into OS. It is much more easier to pass around an add-on mechanism than to pass around an integrated one (even unintentionally or inadvertently). This can give more trouble than it's worth.
  4. The read-only mode of the server (option -r in command line) shouldn't be treated as a security mechanism in any case. It is only a convenient tool to disable all write operations in the server at once. You should not rely on it as on security mechanism.
  5. Libra is the FTP server only. Its purpose is to transfer files, delete them, create or remove directories. It cannot execute other external programs (like WuFtpd with SITE EXEC).
  6. Libra implements the subset of non-standard commands found in WuFtp daemon. The commands who can lead to security leaks or did not have the meaning for anonymous server are not implemented.
  7. The server does not run any external program. It has its own implementation of directory listing and it does not invoke ls for that.
  8. The program does not implement any server-side filtering of directory listing (like ls foo*bar). This is abandoned because of the vulnerability of such approach to "denial of service" attacks.
  9. SIZE returns the size of file for the local 8-bit bytes data transfer type (TYPE L8) only. Trying to return the exact number of octets for ASCII data transfer type (TYPE A) is vulnerable to "denial of service" attacks. In that case the server should open the file and read its entire content to determine the number of new lines in the file. On the other hand the attacker should only receive just a few bytes of servers reply.
  10. The server does not support the ability to restart broken transfer (REST) in ASCII transfer mode (TYPE A). It is done so because this ability would be vulnerable to "denial of service" attacks. The attacker could instruct the server to send him just a few bytes from a big file. Skipping the initial portion of file by reading the file and doing LF -> CRLF translation could consume a significant portion of system resources. On the other hand the attacker should only receive just a few bytes of a file.
  11. If the remote party sends a bogus command the server responds only with the statement that the command isn't recognized. This approach does not lead to replication of bogus and potentially dangerous data.

Next Previous Contents
Hosted by uCoz