From owner-freebsd-security  Sun Jun 25 21:46:53 2000
Delivered-To: freebsd-security@freebsd.org
Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66])
	by hub.freebsd.org (Postfix) with ESMTP id BF1C737B69A
	for <freebsd-security@FreeBSD.ORG>; Sun, 25 Jun 2000 21:46:45 -0700 (PDT)
	(envelope-from nate@yogotech.com)
Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131])
	by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id WAA04245;
	Sun, 25 Jun 2000 22:46:07 -0600 (MDT)
	(envelope-from nate@nomad.yogotech.com)
Received: (from nate@localhost)
	by nomad.yogotech.com (8.8.8/8.8.8) id WAA15773;
	Sun, 25 Jun 2000 22:46:03 -0600 (MDT)
	(envelope-from nate)
Date: Sun, 25 Jun 2000 22:46:03 -0600 (MDT)
Message-Id: <200006260446.WAA15773@nomad.yogotech.com>
From: Nate Williams <nate@yogotech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: Matt Miller <matt.miller@thelinuxstore.com>
Cc: Keith Stevenson <k.stevenson@louisville.edu>,
	Mike Tancsa <mike@sentex.ca>,
	Garrett Wollman <wollman@khavrinen.lcs.mit.edu>,
	freebsd-security@FreeBSD.ORG
Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994
In-Reply-To: <20000623162955.A72949@daffy.mics.net>
References: <Pine.BSF.4.21.0006222230390.65791-100000@achilles.silby.com>
	<4.2.2.20000622201823.0479a690@mail.sentex.net>
	<200006231713.NAA49665@khavrinen.lcs.mit.edu>
	<3.0.5.32.20000623154848.02d2d6c0@marble.sentex.ca>
	<20000623163411.A1412@osaka.louisville.edu>
	<20000623162955.A72949@daffy.mics.net>
X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid
Reply-To: nate@yogotech.com (Nate Williams)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> > > What about 
> > > 
> > > --enable-paranoid 
> > > 
> > > as part of the config ? As so much seems to be related to the site exec
> > > command, perhaps its best to just disable this ?
> > 
> > While I'm all for actually fixing the problems in the code, I've found that
> > the --enable-paranoid options to be a good one.  I've been tinkering around
> > with the exploit and the paranoid option seems to defend against it.  I don't
> > think that any of my users will miss the SITE EXEC commands.
> > 
> 

> If one were interested in improving the ftpd which ships with the base
> system, which features would make it a viable replacement those
> currently running wu-ftpd?

I'll add a couple.

1) The ability to limit the # of active anonymous connections in a
   simple manner.
2) The ability to create a upload directory where files are
   automatically chown/chmod'd to a different user, so that it can't be
   used as a warez site.
3) The ability to be easily chrooted for paranoia.



Nate


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message