From owner-freebsd-questions Fri Feb 14 00:17:47 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id AAA17568 for questions-outgoing; Fri, 14 Feb 1997 00:17:47 -0800 (PST) Received: from Radford.i-Plus.net (Radford.i-Plus.net [206.99.237.6]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id AAA17535 for ; Fri, 14 Feb 1997 00:17:43 -0800 (PST) Received: from abyss (pitlord@abyss.i-Plus.net [206.99.237.42]) by Radford.i-Plus.net (8.8.5/8.8.5) with SMTP id DAA01556 for ; Fri, 14 Feb 1997 03:16:48 -0500 (EST) Message-Id: <199702140816.DAA01556@Radford.i-Plus.net> Comments: Authenticated sender is From: "Troy Settle" To: questions@freebsd.org Date: Fri, 14 Feb 1997 03:30:27 -0500 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: ftpd security problem? Reply-to: rewt@i-Plus.net Priority: normal X-mailer: Pegasus Mail for Win32 (v2.52) Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I upgraded from 2.1.6 to 2.2, and everything went smoothly. I didn't loose any users, any mail (that I'm aware of), or anything else for that matter. However, last night, I got a call from my boss, telling me that he was logged in anonymously to the ftp server, and was able to delete files at will. I thought he might be mistaken, but I verified this myself, and was able to do anything with the files under /var/ftp (chroot was still in effect, and yes, everything was chmod o-w). Switching over to wu_ftpd fixed this. No real worries from me, but I thought others might be interested in this. -- Troy Settle Network Administrator, iPlus Internet Services http://www.i-Plus.net ( Stuff I said does not reflect the company I work ) ( for unless I'm speaking on behalf of said company )