Date: Sat, 3 Nov 2001 00:56:05 -0600 (CST) From: Anatoly Karp <karp@math.wisc.edu> To: FreeBSD-gnats-submit@freebsd.org Subject: docs/31720: man ftpd(8) omits potentially crucial security warning Message-ID: <200111030656.fA36u5M39966@rust098-017.resnet.wisc.edu>
next in thread | raw e-mail | index | archive | help
>Number: 31720
>Category: docs
>Synopsis: man ftpd(8) omits potentially crucial security warning
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-doc
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: doc-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Nov 02 23:00:02 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: Anatoly Karp
>Release: FreeBSD 4.4-STABLE i386
>Organization:
private
>Environment:
System: FreeBSD rust098-017.resnet.wisc.edu 4.4-STABLE FreeBSD 4.4-STABLE #1: Wed Oct 31 03:26:58 CST 2001 karp@rust098-017.resnet.wisc.edu:/usr/obj/usr/src/sys/TOL_KERN6 i386
>Description:
Man ftpd(8) suggests giving ~ftp/pub directory the permission
bits of 777 without adequately explaining potentially
unpleasant security implications of such a step. It is
suggested that
>How-To-Repeat:
$ man ftpd
[snip]
~ftp/pub Make this directory mode 777 and owned by ``ftp''.
Guests can then place files which are to be accessible
via the anonymous account in this directory.
[snip]
>Fix:
Change the corresponding paragraph to, say:
~ftp/pub Make this directory mode 700 and owned by ``ftp''.
Making this directory world-writable will
open you to a variety of DoS attacks as
well as being used for warez.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200111030656.fA36u5M39966>