Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 4 Jan 2001 10:29:53 -0500 
From:      "Portwood, Jason" <JPortwood@strategicit.net>
To:        "'freebsd-security@FreeBSD.ORG'" <freebsd-security@FreeBSD.ORG>
Subject:   ftpd and anonymous setup
Message-ID:  <6381A6A8826BD31199500090279CAFBA24F41A@exchange.strategicit.net>
next in thread | raw e-mail | index | archive | help 

I noticed that the permissions given for the anonymous ftp setup in the ftpd
man page seem a
little off.  Now of course before anyone goes setting up an anonymous FTP
site they should 
be very cautious.  That can't be said enough.

From man 8 ftpd...

           ~ftp/pub  Make this directory mode 777 and owned by ``ftp''.
                     Guests can then place files which are to be accessible
                     via the anonymous account in this directory.

Now that creates a directory that is world readble/writeable/executable.  So
an anonymous
user can upload but also download what he/she put up there.  As well as grab
what others
have placed there as well.  If someone takes it to heart and thinks there
fine they
could eventually have problems if found.

I think it might be better to have the following:

	~ftp/pub 	Make the directory mode 555 and owned by ``ftp''.

	~ftp/pub/upload	Make this directory mode 773 and owned by ``ftp''.

I chose 773 to allow someone to be assigned to the group to control the
contents of that
directory.

That will allow files to be uploaded and not be viewable.  Of course there
is still the problem
with a directory could be created in the upload directory.  Files uploaded
to that new directory 
would be world readable so the problem starts all over again if it were
found.  Security through 
obscurity isn't always the best but it does help a little here...

Of course this is what wu-ftpd/ProFTPD is for if you need tighter control on
anonymous FTP.

I wonder if a change to ftpd adding a flag to disable anonymous users from
directory creations would be a 
help with this?  As well as avoid yet another configuration file to have to
deal with.  

Just my thought.

Jason Portwood  (jason@iac.net)
Internet Systems Administrator   
Strategic / Internet Access Cincinnati
Sales & Tech Support 513-860-9052 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6381A6A8826BD31199500090279CAFBA24F41A>