From owner-freebsd-security Sun Jun 10 7:57: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id BDAA937B40C for ; Sun, 10 Jun 2001 07:56:58 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 82010 invoked by uid 1000); 10 Jun 2001 14:57:18 -0000 Date: Sun, 10 Jun 2001 16:57:18 +0200 From: "Karsten W. Rohrbach" To: Glen Foster Cc: security@freebsd.org Subject: Re: Q: suiddir on ~ftp/incoming? Message-ID: <20010610165718.D80709@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Glen Foster , security@freebsd.org References: <15138.23131.648658.477266@audio.gfoster.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="5p8PegU4iirBW1oA" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15138.23131.648658.477266@audio.gfoster.com>; from gfoster@gfoster.com on Sat, Jun 09, 2001 at 01:18:19PM -0400 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --5p8PegU4iirBW1oA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable if you need an incoming directory, thinkining about mode 0333 is way okay, you should consider writing the files themselves mode 0000 and change them later when moving them out of incoming and into place. this quenches the w4r3z d00dz pretty effectively. /k Glen Foster(gfoster@gfoster.com)@2001.06.09 13:18:19 +0000: > Standard ftpd on a not-so-old 4.3-S. With the less-than-sterling > record of more featureful FTP servers, I'd like to find a way to stick > with old faithful. >=20 > Is it a bad idea to make a directory, ~ftp/incoming, with perms=3D5333, > on an anonymous FTP server as a "dropbox" for uploading? No untrusted > shell accounts on the machine in question. >=20 > As most who try to provide drop boxes discover, warez d00dz quickly > find them and manage to fill them up with bit strings that, according > to some, are worth billions of dollars each and every year. They do > this by the mechanism of creating a directory that is owned by "ftp," > with which and in they can play their little games at will. >=20 > The intention is, by enforcing suiddir, the directories and files they > create won't be listable, thus removing much of the raison d'etre for > their creation. >=20 > Of course, the "filler" will still be able to write, fill up the disk, > etc. but the hordes who follow after will be dissuaded and not consume > all your mbufs with their requests. >=20 > Anybody done this? Results over time? >=20 > Yes, it is a form of STO easily defeated by miscreants keeping a > directory of uploaded files and sharing it with customers. But, in > practice, is it worthwhile to do? >=20 > Any insight would be appreciated, > Glen Foster >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 > A Puritan is someone who is deathly afraid that someone, somewhere, is > having fun. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --5p8PegU4iirBW1oA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7I4rOM0BPTilkv0YRAtKSAKCmoZomCobkGFhS2eMhC5g3JQyk7ACeKB6P LBk04jZkDjOEp+AgnvEc1ts= =y9AR -----END PGP SIGNATURE----- --5p8PegU4iirBW1oA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message