Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 15 Oct 1997 03:10:12 -0400 (EDT)
From:      Robert Watson <robert@cyrus.watson.org>
To:        Greg Lehey <grog@lemis.com>
Cc:        questions@FreeBSD.ORG
Subject:   Re: secure anonymous FTP
Message-ID:  <Pine.BSF.3.96.971015030651.2452A-100000@cyrus.watson.org>
In-Reply-To: <19971015144413.61249@lemis.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 15 Oct 1997, Greg Lehey wrote:

> On Tue, Oct 14, 1997 at 11:51:19PM -0400, Robert Watson wrote:
> >
> > I wish to set up an anonymous ftp server that only serves anonymous users
> > -- i.e., it does not need to authenticate users using passwords ever, and
> > would live entirely chroot'd, hopefully.  This would minimize the chances
> > of attacks using anonymous ftp; is there a daemon available that would fit
> > into this nitch or do I need to roll my own?
> 
> man 8 ftpd
> 
> Look at the -A option.

The following line of text can be found there under 2.2.1:

     -A      Allow only anonymous ftp access

This does not provide much in the way of details: for example, presumably
ftpd still runs as root, does a chroot, gives up root access, etc, at some
point, which is not defined here.  I was hoping instead for a daemon that
had more documented semantics (and perhaps better ones.)  For example, the
daemon runs as root, binds the port, chroots, gives up uid 0 before even
accepting any connections.  Is this what the -A behavior implies?

Alternatively, I would rather run ftpd from inetd and not use chroot,
relying on the server to provide security, than have ftpd run as root at
any point..

The -A option may not provide any enhanced security, other than the server
promising not to accept authenticated connections? :)  Some clarification
here would be nice, thanks.


  Robert N Watson 

Junior, Logic+Computation, Carnegie Mellon University  http://www.cmu.edu/
Network Administrator, SafePort Network Services  http://www.safeport.com/
robert@fledge.watson.org rwatson@safeport.com http://www.watson.org/~robert/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.971015030651.2452A-100000>