Date: Fri, 05 Dec 1997 22:50:13 +0100 From: sthaug@nethelp.no To: cschuber@uumail.gov.bc.ca Cc: security@FreeBSD.ORG Subject: Re: Possible problem with ftpd 6.00 Message-ID: <13962.881358613@verdi.nethelp.no> In-Reply-To: Your message of "Fri, 05 Dec 1997 07:12:41 -0800" References: <199712051513.HAA22525@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> You have stumbled across aguably (IMHO) the best anonymous FTP server out > there. Netscape sends USER and PASS commands, regardless of the prompt. If > you want to run a read-only anonymous FTP server, this is the one to use. > Because anonftp doesn't handle "regular" FTP, you would need to put your > "regular" FTP server on another port. > > The reason anonftpd is so good is that it does only one thing: Anonymous FTP, > that's it. Maybe there should be a port for it (and some other of Daniel > Bernstien's work such as Qmail). Then people who want to run a secure > anonymous FTP server can. Personally, I prefer Marcus Ranum's hacked ftpd, aftpd. With the default compilation flags, only anonymous service is provided. It needs a regular bin/ls, but that's all. The listing format is more standard than anonftpd. Steinar Haug, Nethelp consulting, sthaug@nethelp.no ---------------------------------------------------------------------- ftpd, mjr version ----------------- This is a significantly stipped down ftpd, which is designed to support ONLY anonymous service in a chrooted environment. In the process of building this, I linted out the BSD version, chopped out all the insane games they play trying to figure out who the user is at any given moment, took the globals and put them in one place, fixed the egregious pseudo-varargs in reply(), replaced the argument processing with getopt, and removed all the setuid/getuid cruft. It uses syslog for everything. I *did* manage to take a significant amount of code out of the original BSD version (and threw it in the bit bucket where it belongs) but I had to put a surprising amount back in to make the management of globals sensible, and to make lint and Saber-C happy. If you build it (recommended) with -DREADONLY, then it will generate you an ftpd that can do little more than serve files. This is what you want, trust me. Leaving -DREADONLY out will build you an ftpd that can read/write files, etc, but only as the guest user-ID. This ftpd uses no password file to leave lying around in core files in your FTP area. It can be chrooted with nothing but a copy of "/bin/ls" which is how things should be. There are hardcoded defaults in ftpd.h that wire in some default directories and UIDs. You can also pass them on the command line (-H ftphomedir -U uid -G gid) but many inetds like Sun's lose arguments off the command line. Make life easy on yourself and compile the values in, then leave 'em. Last but not least. "normal" ftpds run as root so they can bind the return data port. This is utter braindamage and this ftpd does NOT support that ability. What does it mean? It means that people who rely on letting port 20 in through their router will lose, since this ftpd talks on whatever port it feels like at the moment. Which is as it should be. If you feel this is evil, feel free to run something huge and bloated that runs as root. But not on *MY* system. Ftpd.c has a section of 16 lines of code that are the security critical portion. That's what controls the directory and permissions ftpd runs under. The only other danger spots are the file I/O and command invocation, which means you should still be careful about permissions in your FTP area and what executables you put there. But 99% of your security problems have had a bullet put through them with this program. BUILDING INSTRUCTIONS --------------------- a) Edit ftpd.h and adjust the default values for: FTPD_DEFAULT_HOME FTPD_DEFAULT_UID FTPD_DEFAULT_GID The default values of -1 and (char *)0 will produce you an ftpd that requires all command line options to work. b) Edit the Makefile to change any options as you see fit: NOEXPORT enables export control routines. If the -f flag is passed in on the command line, it will not permit files to be exported from directories that contain a file called ".noexport" or to change into a directory with a ".noexport" file. You probably do not want this. PROXY_PASSTHROUGH enables toolkit aware proxy switching for the firewall toolkit. You probably do not want this. READONLY disables all store/modify commands. You probably want this. c) Type "make" d) Install it. This software is completely unsupported. Use at your own risk. This software assumes that you have a level of expertise as a systems manager that will allow youu to install this properly. If you do not, don't use this software. If you do not, don't call for help, unless you are prepared to pay consulting rates. mjr.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?13962.881358613>