Bugtraq mailing list archives

Re: Bad Advise

From: cellwood () gauss ELEE CalPoly EDU (Chris Ellwood)
Date: Mon, 25 Jul 94 23:51:47 PDT


Christopher Klaus said...

Here is some advise from Sun that I highly recommend you DO NOT DO.

If you look at the MAN page for ftpd, you will see the following 
advise: 

     the following rules are recommended. 
     ~ftp)
          Make the home directory owned by ``ftp'' and unwritable
          by anyone. 

I highly recommend you change that to owned by ``root''.  If anyone can log
in as ftp, there is nothing to stop them from doing SITE CHMOD 777 to the
main directory and putting .rhosts or .forward there allowing instant
access.


The man pages for many several versions of Ultrix, NeXT-Mach, and a few
other OS's give the same advise.  I think it may be from a standard BSD
mag page source.  While the Ultrix default ftpd doesn't support site
commands, the NeXT-Mach ftpd does, and having the ftp directory owned 
by ftp is rather foolish in any case.

- Chris Ellwood <cellwood () gauss calpoly edu>
EL/EE Dept. System Administrator - Cal Poly, San Luis Obispo

Current thread:

coredumps on setuid programs. ddzehr () telecom ksu edu (Jul 22)
- Re: coredumps on setuid programs. George Boyce (Jul 22)
  - Bad Advise Christopher Klaus (Jul 24)
    - Re: Bad Advise smb () research att com (Jul 25)
    - Re: Bad Advise Christopher Klaus (Jul 26)
    - Re: Bad Advise Chris Ellwood (Jul 25)
    - Re: Bad Advise G.J.W. Hagenaars (Jul 26)
    - Re: Bad Advise Mark Moraes (Jul 26)
    - Re: Bad Advise Philip Yzarn de Louraille (Jul 27)
    - Re: Bad Advise jim () Tadpole COM (Jul 26)
    - Re: Re: Bad Advise Pete Hartman (Jul 26)
    - Re: Bad Advise Evil Pete (Jul 26)
    - Re: Bad Advise David Lawrence Oppenheimer (Jul 26)
    - Re: Bad Advise Harold van Aalderen (Jul 26)
    - Re: Bad Advise Christopher Klaus (Jul 26)
    - Re: Bad Advise Timothy Newsham (Jul 27)

(Thread continues...)