Date: Tue, 5 Sep 2000 05:40:04 -0700 (PDT) From: "Chris D. Faulhaber" <jedgar@fxp.org> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/20993: many ftpd commands not limited to logins Message-ID: <200009051240.FAA09206@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/20993; it has been noted by GNATS. From: "Chris D. Faulhaber" <jedgar@fxp.org> To: Sheldon Hearn <sheldonh@uunet.co.za> Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: bin/20993: many ftpd commands not limited to logins Date: Tue, 5 Sep 2000 08:30:16 -0400 (EDT) On Tue, 5 Sep 2000, Sheldon Hearn wrote: > > > On Tue, 05 Sep 2000 07:43:21 -0400, "Chris D. Faulhaber" wrote: > > > > This would need to spend a _long_ time in CURRENT before being merged > > > into RELENG_4. > > > > > > > Ummm, ok. The changes are quite trivial, though. > > The deltas are small and simple, but the potential impact is not > trivial. How much time have you spent investigating what this will do > to various software packages that rely on the current behaviour? > > I realize that several other FTP daemons behave as you propose that ours > should. I just don't think that we should rush the merge into STABLE, > especially since this doesn't seem to fix any glaring security holes. > a) none of the commands affected should be used if a user is not logged in, and the patch does not change the behaviour of commands once a user is authenticated b) all changes were taken from OpenBSD c) we currently allow the SYST command to be issued to anyone who connects (comments about which prompted me to make these changes), which some may not realize (and others may view as a security concern) d) Works Here[tm] (ok, lame excuse) e) if these changes are unwanted, I'll gladly close the PR and save the gnats bloat. ----- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009051240.FAA09206>