Security for FTP connection within a server

Question

In PHP, I am accessing another user's files using FTP on the same server. In this case, do I need to use secure FTP or is it ok to have normal FTP as both source and destination are on the same server?

Adding after getting some comments and answers: One website is accessing files of another website for some processing requirements and cloning. There is no permission issue. Both websites are under different users in linux so PHP code executing under 1 user cannot access files of another user for copying. Also, I am using FTP (which is already there on the server) because in future these websites may be on different servers. But now they are on same server.

Notes: - Both website users cannot be added to same group as this is the only time one website accesses files of another site. After that they should not be able to access files of one another.

The important question is if the traffic is sent to the network or only internally within the server. — schroeder, Jan 23 '19 at 12:44

score 1 · Answer 1 · answered Jan 23 '19 at 13:05

This sounds like the xy problem.

But before I get into that.....

There are several reasons why FTP is generally disliked. Here, the number one reason will be that passwords are sent across the network in clear text - and hence easy to capture. But the (by default) separate data channel is also a pain to deal with on firewalls. If you are not crossing the network then you've addressed these issues.

But do you know for sure that this will always be the case?

A very simple tenet of Security is that you don't install/run software you don't need. Hence unless the host is already running a XXXX server for a very good reason, then adding one is bad for security.

If we are talking about Unix/Linux hosts, then they almost always be running an ssh server - which gives a lot of weight to favouring sftp/scp over ftp/ftps.

Almost as bad as sending passwords across a network is writing them, unencrypted to your filesystem. for your code to connect to sftp/ftp/ftps it needs a password or a private key. Anything which avoided this requirement would be beneficial to the security.

Which brings us to the real issue...

If your code is unable to read the required files which exist on the local filesystem then your permissions model is wrong. That is the issue you should be addressing.

One website is accessing files of another website for some processing requirements and cloning. There is no permission issue. Both websites are under different users in linux so PHP code executing under 1 user cannot access files of another user for copying. Also, I am using FTP (which is already there on the server) because in future these websites may be on different servers. But now they are on same server. — Vishnu, Jan 23 '19 at 14:03
That is a permissions issue. Please learn how Unix permissions work. In order to share files they just need a common group. Your second last sentence refutes the premise of your question. — symcbean, Jan 23 '19 at 14:18

Security for FTP connection within a server

1 Answers1