[BlueOnyx:10661] Re: FTPS on Blueonyx?

[Chuck Tetlow]

Yes there is a difference.  And SFTP can be a BAD thing!  Because while the FTP server limits where a site user or admin can go - SFTP doesn't.

If you FTP in as a site admin, you can only go up to the site's root / directory - which translates to /home/sites/www.domain1.tld/.  In the FTP session - a user or admin can't even see there is anything higher, let alone get into it.

But if you SFTP in as that same site admin, you can go all the way up to the system's root directory.  They can browser the entire server's directory tree, and read anything that has readable permissions.  Whether they can write files elsewhere in the system or modify them depends on the directory permissions.  But that's plausible, especially in the /tmp directory.  (Can you imagine what could be done by someone placing executable code in the /tmp directory and then executing it by calling it from a PHP script in their website??)

Also with SFTP, a site admin can also down from /home/sites/ into other site's /home/site/www.domain2.tld directories and read anything in there that has world read permissions.  Potentially things that the owners of domain2 didn't want others to see.

So its a security issue.  That's why I won't allow SFTP by users or site admins on my server.  I trust those guys, but only so far.  Just have them use FTP or FTPS.

Chuck

---------- Original Message -----------
From: Wayne Michael <wrmichael at hotmail.com> 
To: <blueonyx at mail.blueonyx.it> 
Sent: Thu, 24 May 2012 12:32:52 -0400 
Subject: [BlueOnyx:10660] Re: FTPS on Blueonyx?

> There is a difference with FTPS and SFTP isn't there? 
> 
> one uses SSH and other does not. 
> 
> I use SFTP and that requires SSH to be turned on (Shell access). 
------- End of Original Message -------
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20120524/b5718310/attachment.html>