FTP-Proxy comes with several configuration features that help
to increase local system security, namely ServerRoot,
User and Group.
The way FTP-Proxy is being called needs to be considered. One
possible way is via the system's inetd (or xinetd) Internet Super
Daemon. In this case FTP-Proxy will not fork or become a daemon.
It will serve the client and terminate itself after delivery.
When configuring (x)inetd to include the ftp-proxy executable,
ServerRoot (chroot) should be used.
The User and Group need not be given if they
are specified in the inetd configuration itself.
The User and Group options should actually be
considered for standalone operations. In this case the ftp-proxy
will bind the listening socket to the port number set using the
Port and Listen options, preform the chroot
operation if ServerRoot is used, drop privileges to
the UID/GID set with User and Group options
and open log.
It might be a good idea to create a new user (e.g. "ftpproxy") as well as a group (e.g. "ftpproxy") in order to reach a better granularity for the user administration.
When using ServerRoot, please note that usually other
files needs to be installed into the runtime environment as well,
e.g. the /dev/null device, system databases like /etc/services,
/etc/hosts, libraries like libc and possibly other (e.g. libcrypt
under AIX 4.3, a resolver library like libresolv or libnss
libraries on systems using the NameServiceSwitch - see also
nsswitch.conf(5)).
If you are using the User and Group options,
you may also need the /etc/passwd and /etc/group files.
The sample run level script rc.script for (SuSE)
Linux supports the preparation of a chroot runtime
environment - see description in rc.script.txt.