Date: Wed, 15 Oct 1997 16:41:40 +0930 From: Greg Lehey <grog@lemis.com> To: Robert Watson <robert+freebsd@cyrus.watson.org> Cc: questions@FreeBSD.ORG Subject: Re: secure anonymous FTP Message-ID: <19971015164140.48074@lemis.com> In-Reply-To: <Pine.BSF.3.96.971015030651.2452A-100000@cyrus.watson.org>; from Robert Watson on Wed, Oct 15, 1997 at 03:10:12AM -0400 References: <19971015144413.61249@lemis.com> <Pine.BSF.3.96.971015030651.2452A-100000@cyrus.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 15, 1997 at 03:10:12AM -0400, Robert Watson wrote: > On Wed, 15 Oct 1997, Greg Lehey wrote: > >> On Tue, Oct 14, 1997 at 11:51:19PM -0400, Robert Watson wrote: >>> >>> I wish to set up an anonymous ftp server that only serves anonymous users >>> -- i.e., it does not need to authenticate users using passwords ever, and >>> would live entirely chroot'd, hopefully. This would minimize the chances >>> of attacks using anonymous ftp; is there a daemon available that would fit >>> into this nitch or do I need to roll my own? >> >> man 8 ftpd >> >> Look at the -A option. > > The following line of text can be found there under 2.2.1: > > -A Allow only anonymous ftp access > > This does not provide much in the way of details: for example, presumably > ftpd still runs as root, does a chroot, gives up root access, etc, at some > point, which is not defined here. I was hoping instead for a daemon that > had more documented semantics (and perhaps better ones.) For example, the > daemon runs as root, binds the port, chroots, gives up uid 0 before even > accepting any connections. Is this what the -A behavior implies? > > Alternatively, I would rather run ftpd from inetd and not use chroot, > relying on the server to provide security, than have ftpd run as root at > any point.. > > The -A option may not provide any enhanced security, other than the server > promising not to accept authenticated connections? :) Some clarification > here would be nice, thanks. I haven't looked at how this is implemented. I'm afraid you're going to have to check the source for that one. Greg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19971015164140.48074>