Debian GNU/Linux 9.5, ISPConfig 3.1.11. I noticed from Tiger auditing report that pure-ftpd is running as web user, not as root. And indeed: Code: # ps -ef | grep -i pure root 5336 1 0 loka16 ? 00:00:00 pure-ftpd (SERVER) web86 6549 5336 0 02:30 ? 00:00:00 pure-ftpd (IDLE) root 6550 6549 0 02:30 ? 00:00:00 pure-ftpd (PRIV) root 25379 10610 0 14:41 pts/0 00:00:00 grep -i pure web86 28437 5336 0 loka17 ? 00:00:00 pure-ftpd (IDLE) root 28438 28437 0 loka17 ? 00:00:00 pure-ftpd (PRIV) Why is this? Should I disable that website or ftp account?
I have not noticed that yet but it might be ok nonetheless. Maybe there is active FTP session at the moment to that site and pure-ftpd spans an instance of itself under that user then.