From owner-freebsd-security  Sun Oct 13 15:19:54 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id PAA08711
          for security-outgoing; Sun, 13 Oct 1996 15:19:54 -0700 (PDT)
Received: from sdev.usn.blaze.net.au (sdev.usn.blaze.net.au [203.17.53.19])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA08685
          for <freebsd-security@FreeBSD.org>; Sun, 13 Oct 1996 15:19:23 -0700 (PDT)
Received: from localhost (davidn@localhost) by sdev.usn.blaze.net.au (8.7.6/8.6.9) with SMTP id IAA22952; Mon, 14 Oct 1996 08:16:24 +1000 (EST)
Date: Mon, 14 Oct 1996 08:16:23 +1000 (EST)
From: David Nugent <davidn@sdev.usn.blaze.net.au>
Reply-To: davidn@blaze.net.au
To: Peter Childs <pjchilds@imforei.apana.org.au>
cc: Antonio Navarro Navarro <hostmaster@bemarnet.es>,
        freebsd-security@FreeBSD.org
Subject: Re: Restricted access via FTP
In-Reply-To: <199610101916.EAA01749@al.imforei.apana.org.au>
Message-ID: <Pine.BSF.3.95.961014075726.22234A-100000@sdev.usn.blaze.net.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

On Fri, 11 Oct 1996, Peter Childs wrote:

> I suggest either finding these, or just modifiying wu-ftpd yourself
> so that it "chroot"'s into users home directories when they log in
> with ftp.  You'll need to remember that if they do chroot then they
> require accessable copies of "ls" and stuff like that.
>
> Perhaps you should make it so that it "chroot"'s to /home and then
> have a /home/bin with static binaries users might require for
> ftp (like ls)


I recall seeing some wu-ftp patches that implemented built-in ls,
which would seem to get around this shortfall and also offered a
minor boost to performance on very loaded servers. The only thing
the user loses on in using this with no special copying of files
(which has its own security risks attached - wonder who would
place a nice bomb in ~username/bin/ls some time?) would be the
gzip/tar capability in wu-ftp. I doubt many would really miss it
for non-anon use. 

Sorry I can't be more specific about the location of the patches,
but at the time I didn't need them and didn't take any special
note.


David Nugent, Unique Computing Pty Ltd - Melbourne, Australia
Voice +61-3-791-9547 Data/BBS +61-3-792-3507 3:632/348@fidonet
davidn@blaze.net.au http://www.blaze.net.au/~davidn