Date: Sat, 9 Jun 2001 13:18:19 -0400 From: Glen Foster <gfoster@gfoster.com> To: security@freebsd.org Subject: Q: suiddir on ~ftp/incoming? Message-ID: <15138.23131.648658.477266@audio.gfoster.com>
next in thread | raw e-mail | index | archive | help
Standard ftpd on a not-so-old 4.3-S. With the less-than-sterling record of more featureful FTP servers, I'd like to find a way to stick with old faithful. Is it a bad idea to make a directory, ~ftp/incoming, with perms=5333, on an anonymous FTP server as a "dropbox" for uploading? No untrusted shell accounts on the machine in question. As most who try to provide drop boxes discover, warez d00dz quickly find them and manage to fill them up with bit strings that, according to some, are worth billions of dollars each and every year. They do this by the mechanism of creating a directory that is owned by "ftp," with which and in they can play their little games at will. The intention is, by enforcing suiddir, the directories and files they create won't be listable, thus removing much of the raison d'etre for their creation. Of course, the "filler" will still be able to write, fill up the disk, etc. but the hordes who follow after will be dissuaded and not consume all your mbufs with their requests. Anybody done this? Results over time? Yes, it is a form of STO easily defeated by miscreants keeping a directory of uploaded files and sharing it with customers. But, in practice, is it worthwhile to do? Any insight would be appreciated, Glen Foster <gfoster@gfoster.com> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15138.23131.648658.477266>