From owner-freebsd-questions  Wed Oct 15 00:10:30 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id AAA24245
          for questions-outgoing; Wed, 15 Oct 1997 00:10:30 -0700 (PDT)
          (envelope-from owner-freebsd-questions)
Received: from cyrus.watson.org (robert@AMALTHEA.RES.CMU.EDU [128.2.91.57])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id AAA24235
          for <questions@FreeBSD.ORG>; Wed, 15 Oct 1997 00:10:26 -0700 (PDT)
          (envelope-from robert@cyrus.watson.org)
Received: from localhost (robert@localhost)
	by cyrus.watson.org (8.8.5/8.8.5) with SMTP id DAA02483;
	Wed, 15 Oct 1997 03:10:13 -0400 (EDT)
Date: Wed, 15 Oct 1997 03:10:12 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Greg Lehey <grog@lemis.com>
cc: questions@FreeBSD.ORG
Subject: Re: secure anonymous FTP
In-Reply-To: <19971015144413.61249@lemis.com>
Message-ID: <Pine.BSF.3.96.971015030651.2452A-100000@cyrus.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Wed, 15 Oct 1997, Greg Lehey wrote:

> On Tue, Oct 14, 1997 at 11:51:19PM -0400, Robert Watson wrote:
> >
> > I wish to set up an anonymous ftp server that only serves anonymous users
> > -- i.e., it does not need to authenticate users using passwords ever, and
> > would live entirely chroot'd, hopefully.  This would minimize the chances
> > of attacks using anonymous ftp; is there a daemon available that would fit
> > into this nitch or do I need to roll my own?
> 
> man 8 ftpd
> 
> Look at the -A option.

The following line of text can be found there under 2.2.1:

     -A      Allow only anonymous ftp access

This does not provide much in the way of details: for example, presumably
ftpd still runs as root, does a chroot, gives up root access, etc, at some
point, which is not defined here.  I was hoping instead for a daemon that
had more documented semantics (and perhaps better ones.)  For example, the
daemon runs as root, binds the port, chroots, gives up uid 0 before even
accepting any connections.  Is this what the -A behavior implies?

Alternatively, I would rather run ftpd from inetd and not use chroot,
relying on the server to provide security, than have ftpd run as root at
any point..

The -A option may not provide any enhanced security, other than the server
promising not to accept authenticated connections? :)  Some clarification
here would be nice, thanks.


  Robert N Watson 

Junior, Logic+Computation, Carnegie Mellon University  http://www.cmu.edu/
Network Administrator, SafePort Network Services  http://www.safeport.com/
robert@fledge.watson.org rwatson@safeport.com http://www.watson.org/~robert/