Date: Tue, 07 Jul 1998 00:17:03 -0700 From: David Greenman <dg@root.com> To: rotel@indigo.ie Cc: "Allen Smith" <easmith@beatrice.rutgers.edu>, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Subject: Re: bsd securelevel patch question Message-ID: <199807070717.AAA21226@implode.root.com> In-Reply-To: Your message of "Tue, 07 Jul 1998 03:17:54 -0000." <199807070217.DAA02400@indigo.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
>On Jul 6, 4:45pm, David Greenman wrote: >} Subject: Re: bsd securelevel patch question >> >> I think you are missing what I'm saying. Again, I'm saying that the FTP >> client is the thing that initiates the passive mode (via the PASV command) - >> not the server and thus your suggestion to "just use passive FTP on the >> server" to get around needing privileged-port bind()s in the server is >> simply not an option. > >Right, what I meant was to provide the option of disabling the PORT >command. Yes, I know this will confuse people and break things, >but I think its a reasonable choice to offer the administrator. Sorry, that's just a silly recommendation. Period. >I wonder if initiating active mode data connections from an undefault >(!) data port would break much. I notice /usr/bin/ftp doesn't >"authenticate" this, in fact it doesn't even check the peer's IP, >maybe this is something to do with not breaking FTP proxies; I >don't know how they work. At least a warning would be appropriate >though? That might work for _some_ clients. >> > As for the security, I'd >> >prefer to allow connects in to the ftp servers on ports I know it >> >will be listening on rather than having a machine inside the DMZ >> >initiating TCP connections; having said that, FreeBSD's ftp daemon >> >currently accepts connections on ports it is listening on from any >> >IP, in accordance with the FTP RFC, but this is inconsistenct with >> >the bahaviour of the PORT command in paranoid mode which will only >> >connect to the IP of the control channel peer. What do you think >> >of patching this? >> >> Are you talking about the data port listens that ftpd does when it is >> operating in passive mode? If so, then you're wrong - ftpd listens for the >> control channel IP address. > >No it doesn't; check dataconn() in ftpd.c, it simply accepts the >connection after using select for timeout. The "authentication" >for PORT occurs as part of parsing the PORT command in host_port in >ftpcmd.y What does accept() have to do with how the socket is bind()ed? (Answer: absolutely nothing) The bind() and listen() occur in the passive() function, which very definately sets the ctrl_addr as the listen address. I also don't know what you're talking about regarding the PORT command in passive mode since these are mutually exclusive. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807070717.AAA21226>