From owner-freebsd-security Tue Jul 7 00:17:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA13485 for freebsd-security-outgoing; Tue, 7 Jul 1998 00:17:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA13475 for ; Tue, 7 Jul 1998 00:17:04 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id AAA21226; Tue, 7 Jul 1998 00:17:03 -0700 (PDT) Message-Id: <199807070717.AAA21226@implode.root.com> To: rotel@indigo.ie cc: "Allen Smith" , security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Subject: Re: bsd securelevel patch question In-reply-to: Your message of "Tue, 07 Jul 1998 03:17:54 -0000." <199807070217.DAA02400@indigo.ie> From: David Greenman Reply-To: dg@root.com Date: Tue, 07 Jul 1998 00:17:03 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >On Jul 6, 4:45pm, David Greenman wrote: >} Subject: Re: bsd securelevel patch question >> >> I think you are missing what I'm saying. Again, I'm saying that the FTP >> client is the thing that initiates the passive mode (via the PASV command) - >> not the server and thus your suggestion to "just use passive FTP on the >> server" to get around needing privileged-port bind()s in the server is >> simply not an option. > >Right, what I meant was to provide the option of disabling the PORT >command. Yes, I know this will confuse people and break things, >but I think its a reasonable choice to offer the administrator. Sorry, that's just a silly recommendation. Period. >I wonder if initiating active mode data connections from an undefault >(!) data port would break much. I notice /usr/bin/ftp doesn't >"authenticate" this, in fact it doesn't even check the peer's IP, >maybe this is something to do with not breaking FTP proxies; I >don't know how they work. At least a warning would be appropriate >though? That might work for _some_ clients. >> > As for the security, I'd >> >prefer to allow connects in to the ftp servers on ports I know it >> >will be listening on rather than having a machine inside the DMZ >> >initiating TCP connections; having said that, FreeBSD's ftp daemon >> >currently accepts connections on ports it is listening on from any >> >IP, in accordance with the FTP RFC, but this is inconsistenct with >> >the bahaviour of the PORT command in paranoid mode which will only >> >connect to the IP of the control channel peer. What do you think >> >of patching this? >> >> Are you talking about the data port listens that ftpd does when it is >> operating in passive mode? If so, then you're wrong - ftpd listens for the >> control channel IP address. > >No it doesn't; check dataconn() in ftpd.c, it simply accepts the >connection after using select for timeout. The "authentication" >for PORT occurs as part of parsing the PORT command in host_port in >ftpcmd.y What does accept() have to do with how the socket is bind()ed? (Answer: absolutely nothing) The bind() and listen() occur in the passive() function, which very definately sets the ctrl_addr as the listen address. I also don't know what you're talking about regarding the PORT command in passive mode since these are mutually exclusive. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message