From owner-freebsd-questions  Sun Aug 25 16:49:15 1996
Return-Path: owner-questions
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id QAA24265
          for questions-outgoing; Sun, 25 Aug 1996 16:49:15 -0700 (PDT)
Received: from phs.k12.ar.us (garman@phs.k12.ar.us [165.29.117.2])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id QAA24257
          for <questions@freebsd.org>; Sun, 25 Aug 1996 16:49:13 -0700 (PDT)
Received: (from garman@localhost) by phs.k12.ar.us (8.6.12/8.6.9) id SAA25427; Sun, 25 Aug 1996 18:49:11 -0500
Date: Sun, 25 Aug 1996 18:49:11 -0500 (CDT)
From: Jason Garman <garman@phs.k12.ar.us>
To: questions@freebsd.org
Subject: Automated ftpd setup in sysinstall: security hole
Message-ID: <Pine.LNX.3.91.960825184437.24852A-100000@phs.k12.ar.us>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

After installing 2.1.5 and telling sysinstall to setup my anonymous ftp 
directories for me (the easy way out eh? :-)), I noticed that sysinstall 
makes /var/ftp/pub owned by _ftp_, not root like all of the other 
directories.

Isn't this a major security hole?  I just tried uploading a file to my 
/pub and then successfully deleted it, all from the anonymous account.

Who would I report this to?  security-officer?

--
Jason Garman                             http://www.nesc.k12.ar.us/~garman/
Student, Eleanor Roosevelt High School                 garman@phs.k12.ar.us