Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 09 Jun 1997 11:44:42 -0700
From:      Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
To:        Adam Shostack <adam@homeport.org>
Cc:        cschuber@uumail.gov.bc.ca, darkstar@telcentral.net, dg@root.com, yossman@yoss.canweb.net, security@FreeBSD.ORG
Subject:   Re: ftpd security weakness on FreeBSD (fwd) 
Message-ID:  <199706091844.LAA10915@passer.osg.gov.bc.ca>
In-Reply-To: Your message of "Mon, 09 Jun 1997 12:05:41 EDT." <199706091605.MAA26597@homeport.org> 

next in thread | previous in thread | raw e-mail | index | archive | help
Wuftpd has some significant security holes in it, especially the realdir()
hole, allowing remote exploit of root.  The FreeBSD ftp daemon would be
much more secure for sites that wish to offer ftp access to local users.


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
UNIX Support                   OV/VM:  BCSC02(CSCHUBER)
ITSD                          BITNET:  CSCHUBER@BCSC02.BITNET
Government of BC            Internet:  cschuber@uumail.gov.bc.ca
                                       cschuber@bcsc02.gov.bc.ca
                                       Cy.Schubert@gems8.gov.bc.ca

		"Quit spooling around, JES do it."

> I considered suggesting anonftpd (or Ranum's aftpd, which has more
> traditional messages).  I did not because a lot of people want to be
> able to ftp inwards, and the anon only option seems a bit more
> restrictive than is freebsd's bent.
> 
> I wouldn't oppose it as long as the docs suggested an upgrade path of
> (a/anon) -> logdaemon -> WUftpd as need for capabilities increases.
> 
> Adam
> 
> 
> Cy Schubert - ITSD Open Systems Group wrote:
> | Another good ftpd daemon is anonftpd.  It only supports anonymous ftp and a
> | subset of features.  Sites offering an anonymous ftp service could use the
> | anonftpd daemon for anonymous use while running the FreeBSD daemon (or
> | better yet the Kerberos V daemon) behind a TCP/Wrapper off another port.
> 
> 
> -- 
> "It is seldom that liberty of any kind is lost all at once."
> 					               -Hume
> 
> 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199706091844.LAA10915>