From owner-freebsd-questions  Sun Jun  9 23:34:51 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from tinny.eis.net.au (tinny.eis.net.au [203.12.171.1])
	by hub.freebsd.org (Postfix) with ESMTP id CC8E537B40C
	for <questions@FreeBSD.ORG>; Sun,  9 Jun 2002 23:34:40 -0700 (PDT)
Received: (from uucp@localhost) by tinny.eis.net.au (8.8.8/8.8.3) id QAA03049; Mon, 10 Jun 2002 16:34:34 +1000 (EST)
Received: from untimed-4.bri.eis.net.au(203.12.171.219), claiming to be "davidtrz"
 via SMTP by tinny.eis.net.au, id smtpdzI3046; Mon Jun 10 16:34:32 2002
Message-ID: <00cc01c21048$d96d3da0$daab0ccb@davidtrz>
From: "xlr82xs" <xlr82xs@eis.net.au>
To: "Defryn, Guy" <G.P.Defryn@massey.ac.nz>,
	"'questions@freebsd.org'" <questions@FreeBSD.ORG>
References: <98B01D2717B9D411B38F0008C7840931057F38FF@its-xchg2.massey.ac.nz>
Subject: Re: FTP server on freebsd
Date: Mon, 10 Jun 2002 16:34:18 +1000
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
Disposition-Notification-To: "xlr82xs" <xlr82xs@eis.net.au>
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Well, actually the "/etc" folder displayed in the root of the ftp service
when you log on as an anonymous user (i think it ends up in /var/ftp/ by
default) isn't the real etc and the password file in there isn't the real
/etc/passwd file

but since fbsd shadows the password file anyway :/

i think as it stands everyone has read access to /etc/passwd because no
password hashes are kept in there anyway, the actuall encrypted passwords
are stored in /etc/master.passwd which is only readable by root

so being able to read passwd as an anonymous ftp user is fine

the only real security "problem" with anonymous ftp access is that people
may use your server to host warez/porn/whatever if you allow uploads.

HOWEVER

if you allow users ftp access it should be noted that passwords for ftp are
transmitted in plain text and may be sniffed.

Also there are various exploits and other issues for the various ftp servers
around but you can go and look that up for the specific ftpd you are
running...


----- Original Message -----
From: Defryn, Guy
To: 'questions@freebsd.org'
Sent: Monday, June 10, 2002 7:06 AM
Subject: FTP server on freebsd


Hi there,

I have configured my freebsd machine with ftp access.
However, I have a feeling that it is not very secure.
When I set it up with the default settings I see the
/etc/ folder and it has a passwd file in it.

Are there any documents available on securing FTP?
I can't seem to find it on the freebsd website.

Cheers


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message