Skip site navigation (1)Skip section navigation (2) 
Date:      12 Sep 2001 14:13:42 -0400
From:      Vivek Khera <khera@kcilink.com>
To:        questions@freebsd.org
Subject:   Re: anonymous-ftp cracked
Message-ID:  <x7ofogwa3t.fsf@onceler.kciLink.com>
In-Reply-To: <Pine.BSF.4.33.0109121056240.98278-100000@q.closedsrc.org>
References:  <Pine.BSF.4.33.0109121056240.98278-100000@q.closedsrc.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

>>>>> "LP" == Linh Pham <lplist@closedsrc.org> writes:

LP> Wouldn't it be that _write_ access should be removed from the folder
LP> rather than read access?

Then what's the point of having an incoming directory?!?!?


Here's how I configure my ~ftp tree:

[yertle]% ls -la ~ftp
total 6
dr-xr-xr-x   5 root  ftp    512 Dec 27  2000 ./
drwxr-xr-x  24 root  wheel  512 Aug 15 12:17 ../
-rw-r--r--   1 root  ftp    171 Dec 27  2000 .login_conf
dr-xr-xr-x   2 root  ftp    512 Dec 15  2000 etc/
drwxrwx-wx   3 root  user   512 Sep 12 14:01 incoming/
dr-xrwxr-x   2 ftp   user   512 Sep 10 16:11 pub/
[yertle]% cat ~ftp/.login_conf 
# make is so that anonymous ftp uploads are not readible by the ftp user!
# files are only readable by the group who owns the directory.
me:\
        :umask=0707:\
        :tc=default:

in the etc directory, I have a dummy master.passwd file containing
blank entries for root and ftp, and this is run thru pwd_mkdb and
everything but pwd.db deleted.  There's also a skeleton group file, so
listings look nice and pretty.

The .login.conf file makes it so that any incoming files have these
permissions: ----rw---- making it impossible for loser's to use you as
a free distribution site.  Just clean out the incoming directory on
occasion, because these idiots are persistent.  I make the incoming
directory group user so normal users can fetch the files out from
there easily.

This is the most secure I've been able to make the FreeBSD ftp
server.  I *really* wish it would spew out ~ftp/etc/motd and or the
various .message files like wu-ftpd did, since I'd rather not expose
myself to wu-ftpd again.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Vivek Khera, Ph.D.                Khera Communications, Inc.
Internet: khera@kciLink.com       Rockville, MD       +1-240-453-8497
AIM: vivekkhera Y!: vivek_khera   http://www.khera.org/~vivek/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?x7ofogwa3t.fsf>