From owner-freebsd-security Fri Dec 1 8:38:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id EFB6D37B401; Fri, 1 Dec 2000 08:38:52 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id LAA39951; Fri, 1 Dec 2000 11:38:51 -0500 (EST) (envelope-from wollman) Date: Fri, 1 Dec 2000 11:38:51 -0500 (EST) From: Garrett Wollman Message-Id: <200012011638.LAA39951@khavrinen.lcs.mit.edu> To: Kris Kennaway Cc: Christoph Kukulies , freebsd-security@FreeBSD.ORG Subject: Re: which ftpd In-Reply-To: <20001201003104.A41598@citusc17.usc.edu> References: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de> <20001201003104.A41598@citusc17.usc.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Basically all of the third party ftpds in ports have had numerous > security problems - the in-system one has been vulnerability-free > for quite a while now. That doesn't imply that they are currently insecure. The advice that other people have given (e.g., running ftpd in a jail) is helpful, and of course the best thing you can do for anonymous FTP is to prohibit uploads altogether. If you need to allow uploads, several of the servers provide a much greater level of control over that function than standard UNIX permissions. For example, wuftpd allows the administrator to restrict uploads to a specific directory, and specify permissions for newly-uploaded files which will prevent them from being downloaded. (Merely setting the directory to 733 mode doesn't help -- the 31337 w4r3z d00dz don't need to be able to read the directory to download the files their friends have deposited there.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message