From owner-freebsd-questions@FreeBSD.ORG Tue Aug 16 02:44:14 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 083BF16A41F for ; Tue, 16 Aug 2005 02:44:14 +0000 (GMT) (envelope-from dopplecoder@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94B1743D48 for ; Tue, 16 Aug 2005 02:44:13 +0000 (GMT) (envelope-from dopplecoder@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so752863nzd for ; Mon, 15 Aug 2005 19:44:12 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=QZFfK5QObMYQTDyPHsYd2rQS8GrQk+DiCymBvdK+CDrE4SzhqQFpXuTmtnH+2XgzXixqUOLCKMa5Bs4DRvbYRORX7hd3dzL5qrNNgeNEJgKItjKNuWnvScCpZzEZ3IDfK9AKufHhi0J0AEg5eIJMJWt/+9YZ9rfy1eG1AHWBonI= Received: by 10.36.138.6 with SMTP id l6mr5696603nzd; Mon, 15 Aug 2005 19:44:12 -0700 (PDT) Received: by 10.36.128.17 with HTTP; Mon, 15 Aug 2005 19:44:12 -0700 (PDT) Message-ID: <45d750d205081519447090b374@mail.gmail.com> Date: Mon, 15 Aug 2005 22:44:12 -0400 From: Aaron Peterson To: stephen honea In-Reply-To: <20050816023109.59234.qmail@web52401.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20050816023109.59234.qmail@web52401.mail.yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: ftp security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Aug 2005 02:44:14 -0000 On 8/15/05, stephen honea wrote: > I read http://www.freebsddiary.org/ftp-anonymous.php to try and secrue my= ftp server. > The author sugested to add a line to my fstab: >=20 > /dev/ad2s2f /home/ftp/incoming ufs rw,SUIDDIR 2 2 >=20 > however i don't have the file ad2s2f in my /dev directory >=20 > # Device Mountpoint FStype Options Dump P= ass# > /dev/ad0s1b none swap sw 0 0 > /dev/ad0s1a / ufs rw 1 1 > /dev/ad0s1e /tmp ufs rw 2 2 > /dev/ad0s1f /usr ufs rw 2 2 > /dev/ad0s1d /var ufs rw 2 2 > /dev/acd0 /cdrom cd9660 ro,noauto 0 0 > #/dev/ad0s /ftp/incoming ufs rw,SUIDDIR 2 2 >=20 > [root]/etc- >=20 > i don't really understand the fstab but I gather > ad0s1 is the drive and a-f is the partitions created at boot time >=20 > basicly i am trying to sticky a directory mounted by fstab yes, if you didn't create a partition /dev/ad2s2f then you can't mount it or put it in fstab because it doesn't exist. I think you are mistaken that you are trying to turn on the sticky bit since you don't need a separate partition for that by itself. There are other security features that go along with mounting the filesystem with the SUIDDIR option. An excerpt from "man mount": suiddir A directory on the mounted file system will respond to the SUID bit being set, by setting the owner of any ne= w files to be the same as the owner of the directory. N= ew directories will inherit the bit from their parents. Execute bits are removed from the file, and it will no= t be given to root. This feature is designed for use on fileservers servin= g PC users via ftp, SAMBA, or netatalk. It provides sec= u- rity holes for shell users and as such should not be u= sed on shell machines, especially on home directories. Th= is option requires the SUIDDIR option in the kernel to wo= rk. Only UFS file systems support this option. See chmod(= 2) for more information. This requires planning ahead on your filesystem though, so that you have space to create a separate partition for /home/ftp/incoming in your case. You could add another hard disk, or perhaps find a way to rearrange your existing space. It is usually easiest to set this stuf up at install time though... Aaron