From owner-freebsd-security  Fri Dec  1 22: 1: 4 2000
Delivered-To: freebsd-security@freebsd.org
Received: from aurora.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68])
	by hub.freebsd.org (Postfix) with ESMTP id 1F60F37B401
	for <freebsd-security@FreeBSD.ORG>; Fri,  1 Dec 2000 22:01:00 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
	by aurora.scoop.co.nz (8.9.3/8.9.3) with SMTP id TAA19301;
	Sat, 2 Dec 2000 19:00:11 +1300 (NZDT)
Date: Sat, 2 Dec 2000 19:00:10 +1300 (NZDT)
From: Andrew McNaughton <andrew@scoop.co.nz>
Reply-To: andrew@scoop.co.nz
To: cjclark@alum.mit.edu
Cc: Nate Williams <nate@yogotech.com>,
	James Wyatt <jwyatt@rwsystems.net>,
	Christoph Kukulies <kuku@gilberto.physik.rwth-aachen.de>,
	freebsd-security@FreeBSD.ORG
Subject: Re: which ftpd
In-Reply-To: <20001201195847.J99903@149.211.6.64.reflexcom.com>
Message-ID: <Pine.BSF.3.96.1001202174348.15375H-100000@aurora.scoop.co.nz>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 1 Dec 2000, Crist J . Clark wrote:

> On Fri, Dec 01, 2000 at 10:49:06AM -0700, Nate Williams wrote:
> > > I've found the stock FreeBSD FTPd really good. It offers a chrooted
> > > account I've had to take the WUFTPd risk for before on Linux. If you
> > > turn-up the logging you can easily catch things like this. (btw: this
> > > looks like some warez d00dz building a nest. I've had it happen before and
> > > there have been some FTPd holes that required writable anon-ftp to work.)
> > > Using the FTPd xfer log, you can easily audit uploaded files and spot
> > > things like this. You can also have an automatic process watch the log 
> > > and move the files to a quarrantine area.
> > 
> > Do you have an example setup you could post to the list?  One of the
> > issues I'd like to have is an ftpd that allows uploads, but either moves
> > them or changes the permissions on them as soon as the files are
> > uploaded, to avoid having folks abuse the system for warez.
> 
> How about hardcoding the UMASK to 777? Should be a trivial code hack.

You could do this in much the same way that people do in order to use pop
logins to authenticate smtp relaying.

If you start the daemon with 'ftpd -l -l' then you get syslog messages
which a process could use to monitor and act on new uploads.


--
Andrew McNaughton
Scoop Media Ltd
andrew@scoop.co.nz




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message