Date: Mon, 15 Aug 2005 22:44:12 -0400 From: Aaron Peterson <dopplecoder@gmail.com> To: stephen honea <stephen_honea@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: ftp security Message-ID: <45d750d205081519447090b374@mail.gmail.com> In-Reply-To: <20050816023109.59234.qmail@web52401.mail.yahoo.com> References: <20050816023109.59234.qmail@web52401.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8/15/05, stephen honea <stephen_honea@yahoo.com> wrote: > I read http://www.freebsddiary.org/ftp-anonymous.php to try and secrue my= ftp server. > The author sugested to add a line to my fstab: >=20 > /dev/ad2s2f /home/ftp/incoming ufs rw,SUIDDIR 2 2 >=20 > however i don't have the file ad2s2f in my /dev directory >=20 > # Device Mountpoint FStype Options Dump P= ass# > /dev/ad0s1b none swap sw 0 0 > /dev/ad0s1a / ufs rw 1 1 > /dev/ad0s1e /tmp ufs rw 2 2 > /dev/ad0s1f /usr ufs rw 2 2 > /dev/ad0s1d /var ufs rw 2 2 > /dev/acd0 /cdrom cd9660 ro,noauto 0 0 > #/dev/ad0s /ftp/incoming ufs rw,SUIDDIR 2 2 >=20 > [root]/etc- >=20 > i don't really understand the fstab but I gather > ad0s1 is the drive and a-f is the partitions created at boot time >=20 > basicly i am trying to sticky a directory mounted by fstab yes, if you didn't create a partition /dev/ad2s2f then you can't mount it or put it in fstab because it doesn't exist. I think you are mistaken that you are trying to turn on the sticky bit since you don't need a separate partition for that by itself. There are other security features that go along with mounting the filesystem with the SUIDDIR option. An excerpt from "man mount": suiddir A directory on the mounted file system will respond to the SUID bit being set, by setting the owner of any ne= w files to be the same as the owner of the directory. N= ew directories will inherit the bit from their parents. Execute bits are removed from the file, and it will no= t be given to root. This feature is designed for use on fileservers servin= g PC users via ftp, SAMBA, or netatalk. It provides sec= u- rity holes for shell users and as such should not be u= sed on shell machines, especially on home directories. Th= is option requires the SUIDDIR option in the kernel to wo= rk. Only UFS file systems support this option. See chmod(= 2) for more information. This requires planning ahead on your filesystem though, so that you have space to create a separate partition for /home/ftp/incoming in your case. You could add another hard disk, or perhaps find a way to rearrange your existing space. It is usually easiest to set this stuf up at install time though... Aaron
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45d750d205081519447090b374>