Re: ftpd: the advisory version

[diz () CAFES NET (Mike Eldridge)]

On Tue, 27 Jun 2000, Olaf Kirch wrote:
>  * The publicfile FTP server uses local ports above 1024 for PORT connections.
>
> I.e. publicfile is able to drop root privs because it stops using port 20
> when creating data connections in response to a PORT command. It's
> against the spec but works with most clients.

Against spec, it may be, but in my opinion, it makes more sense.

If you ask me, active ftp data transfers are dumb.  Maybe that's because
all of my computers at home are behind a masquerading firewall, but still. ;)

It would seem to me that the way it should have been done was a bind to
port 21 as root, then the control connection should drop root privileges
by setuid() to the incoming user. FTP data transfers should be passive by
default, binding to some unused random port above 1024.

We use ncftpd for our ftp server.  It chroot()s to the user's home
directory and also setuid()s to the user.  Simple security precautions can
go a long way.

All daemons that run as root that takes input of any kind will have some
possibility of exploit as it's almost impossible to cover all possible
holes.  That would just take entirely too long. :)

So, I think the lesson learned here is, whenever possible, use chroot()
and/or setuid() to avoid remote root exploits.

Mike Eldridge
System Administrator