From owner-freebsd-questions  Tue Dec 18 10:54:46 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from catalyst.sasknow.net (catalyst.sasknow.net [207.195.92.130])
	by hub.freebsd.org (Postfix) with ESMTP id 3F3D737B41B
	for <freebsd-questions@FreeBSD.ORG>; Tue, 18 Dec 2001 10:54:29 -0800 (PST)
Received: from localhost (ryan@localhost)
	by catalyst.sasknow.net (8.11.6/8.11.6) with ESMTP id fBIIuLP32354;
	Tue, 18 Dec 2001 12:56:21 -0600 (CST)
	(envelope-from ryan@sasknow.com)
X-Authentication-Warning: catalyst.sasknow.net: ryan owned process doing -bs
Date: Tue, 18 Dec 2001 12:56:21 -0600 (CST)
From: Ryan Thompson <ryan@sasknow.com>
X-X-Sender:  <ryan@catalyst.sasknow.net>
To: Rakesh Prajapati <rprajapa@sdf.lonestar.org>
Cc: <freebsd-questions@FreeBSD.ORG>
Subject: Re: Anonymous ftp , passwd , group file
In-Reply-To: <Pine.NEB.4.33.0112181815380.7307-100000@sdf.lonestar.org>
Message-ID: <20011218125036.J30898-100000@catalyst.sasknow.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Rakesh Prajapati wrote to freebsd-questions@FreeBSD.ORG:

> Hi ,
>
> I have a security related question.
>
> I am running FreeBSD 4.2 RELEASE and I am allowing Anonymous ftp to the
> outside world. This box is setup at home.
>
> [...]
>
> What worries me is the presence of 2 files passwd and group in
> /var/ftp/etc directory.
>
> I am assuming these files exist to authenticate login who dont
> login anonymously.

Nope. passwd and group are only used to map uids and gids to usernames
and group names, with anonymous ftp.

Passwd contains the username and uid of everyone on the system, which
may be a potential security risk, giving a would-be attacker the names
of users on your system to attempt to hack. However, NO passwords (not
even encrypted passwords) are stored in passwd, which should be world
readable.

> root:*:0:0:Charlie &:/root:/bin/csh
       ^--  no password is stored

Actual login auth for real users is done through /etc/spwd.db, which
is readable only by root.

You can safely remove /var/ftp/etc/passwd, if you don't mind having
anonymous users see only the uid for file ownership. You can remove
group, too.

A good thing to do, if you want anon ftp users to see usernames, is to
make a special, separate password database that only contains entries
for, say, root, ftp, and any other users that write to the anonymous
ftp directory.


> Can these files be a security threat in some way?????
> ------------------------------------------------
>
> The /var/ftp/etc/passwd and /var/ftp/etc/group files look like the usual
> /etc/passwd and /etc/group files.

They ARE copies of /etc/passwd and /etc/group :-)

- Ryan

-- 
  Ryan Thompson <ryan@sasknow.com>
  Network Administrator, Accounts

  SaskNow Technologies - http://www.sasknow.com
  #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2

        Tel: 306-664-3600   Fax: 306-664-1161   Saskatoon
  Toll-Free: 877-727-5669     (877-SASKNOW)     North America


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message