Secure FTP server
Question: am I safe to give out FTP access from an FTP server I run on the Linode to people who could be running exec commands at will? Could they ever access the filesystem root with a nefarious command? Is my FTP server secure?
Just to clarify, are you using FTP or SFTP when you attempt to make these connections? In general, FTP alone is something I can't recommend since it has a number of security flaws, the most severe being that it sends packets unencrypted in plaintext which can easily be read by passive tools like packet sniffers. I can strongly recommend using SFTP instead as a different option. You should always be able to make an SFTP connection by using syntax similar to the following:
sftp [email protected]
Additionally, to further secure your connection, you should be able to create sftp jails. For a little more information regarding how to do this, I'm including some of our documentation below which should help:
If your FTP server is more publicly facing, it would absolutely benefit from a number of proper security controls as well, such as strong file-level encryption, permissions, robust logging, firewalls, and whitelists or blacklists. Though I don't think that remote code execution will be a major threat if you follow good security practices, it's worth putting the time and effort into this security, and making sure that you have a number of strong controls in place for a defense-in-depth approach. For a little more information regarding how you might do this, I'm including some additional documentation
on a few of these topics below which I hope might help: