From owner-freebsd-bugs Tue Sep 5 5:40: 7 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 7DD3237B440 for ; Tue, 5 Sep 2000 05:40:04 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id FAA09206; Tue, 5 Sep 2000 05:40:04 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Date: Tue, 5 Sep 2000 05:40:04 -0700 (PDT) Message-Id: <200009051240.FAA09206@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: "Chris D. Faulhaber" Subject: Re: bin/20993: many ftpd commands not limited to logins Reply-To: "Chris D. Faulhaber" Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR bin/20993; it has been noted by GNATS. From: "Chris D. Faulhaber" To: Sheldon Hearn Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: bin/20993: many ftpd commands not limited to logins Date: Tue, 5 Sep 2000 08:30:16 -0400 (EDT) On Tue, 5 Sep 2000, Sheldon Hearn wrote: > > > On Tue, 05 Sep 2000 07:43:21 -0400, "Chris D. Faulhaber" wrote: > > > > This would need to spend a _long_ time in CURRENT before being merged > > > into RELENG_4. > > > > > > > Ummm, ok. The changes are quite trivial, though. > > The deltas are small and simple, but the potential impact is not > trivial. How much time have you spent investigating what this will do > to various software packages that rely on the current behaviour? > > I realize that several other FTP daemons behave as you propose that ours > should. I just don't think that we should rush the merge into STABLE, > especially since this doesn't seem to fix any glaring security holes. > a) none of the commands affected should be used if a user is not logged in, and the patch does not change the behaviour of commands once a user is authenticated b) all changes were taken from OpenBSD c) we currently allow the SYST command to be issued to anyone who connects (comments about which prompted me to make these changes), which some may not realize (and others may view as a security concern) d) Works Here[tm] (ok, lame excuse) e) if these changes are unwanted, I'll gladly close the PR and save the gnats bloat. ----- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message