Re: Bad Advise

[cklaus () shadow net (Christopher Klaus)]

>        Here is some advise from Sun that I highly recommend you DO NOT DO.
>
>        If you look at the MAN page for ftpd, you will see the following 
>        advise: 
>
>             the following rules are recommended. 
>             ~ftp)
>                  Make the home directory owned by ``ftp'' and unwritable
>                  by anyone. 
>
>        I highly recommend you change that to owned by ``root''.  If anyone can lo
>       g
>        in as ftp, there is nothing to stop them from doing SITE CHMOD 777 to the
>        main directory and putting .rhosts or .forward there allowing instant
>        access. 
>
> Of course, Sun's ftpd doesn't support chmod.  Not that that excuses their
> advice, but it's not *quite* as bad...  (I'm talking about 4.1.x, for some
> values of x.)

I thought it should be brought to attention because a few people were asking
why I suggested ~ftp to be owned by someone other than ftp, which they said
was clearly stated by the MAN pages to be owned by ftp.  Not only that, many
big ftp sites I have seen ~ftp owned by ftp had the SITE CHMOD command
implemented as well. 

Either way, I just thought it might be good to raise the awareness level
of setting up a secure anonymous ftp site.

Chris

-- 
Christopher William Klaus  <cklaus () shadow net>  <iss () shadow net>
Internet Security Systems, Inc.         Computer Security Consulting
2209 Summit Place Drive,              Penetration Analysis of Networks
Atlanta,GA 30350-2430. (404)998-5871.