Bugtraq mailing list archives
Re: Bad Advise
From: cellwood () gauss ELEE CalPoly EDU (Chris Ellwood)
Date: Mon, 25 Jul 94 23:51:47 PDT
Christopher Klaus said...
Here is some advise from Sun that I highly recommend you DO NOT DO. If you look at the MAN page for ftpd, you will see the following advise: the following rules are recommended. ~ftp) Make the home directory owned by ``ftp'' and unwritable by anyone. I highly recommend you change that to owned by ``root''. If anyone can log in as ftp, there is nothing to stop them from doing SITE CHMOD 777 to the main directory and putting .rhosts or .forward there allowing instant access.
The man pages for many several versions of Ultrix, NeXT-Mach, and a few other OS's give the same advise. I think it may be from a standard BSD mag page source. While the Ultrix default ftpd doesn't support site commands, the NeXT-Mach ftpd does, and having the ftp directory owned by ftp is rather foolish in any case. - Chris Ellwood <cellwood () gauss calpoly edu> EL/EE Dept. System Administrator - Cal Poly, San Luis Obispo
Current thread:
- coredumps on setuid programs. ddzehr () telecom ksu edu (Jul 22)
- Re: coredumps on setuid programs. George Boyce (Jul 22)
- Bad Advise Christopher Klaus (Jul 24)
- Re: Bad Advise smb () research att com (Jul 25)
- Re: Bad Advise Christopher Klaus (Jul 26)
- Re: Bad Advise Chris Ellwood (Jul 25)
- Re: Bad Advise G.J.W. Hagenaars (Jul 26)
- Re: Bad Advise Mark Moraes (Jul 26)
- Re: Bad Advise Philip Yzarn de Louraille (Jul 27)
- Bad Advise Christopher Klaus (Jul 24)
- Re: Bad Advise jim () Tadpole COM (Jul 26)
- Re: Re: Bad Advise Pete Hartman (Jul 26)
- Re: Bad Advise Evil Pete (Jul 26)
- Re: Bad Advise David Lawrence Oppenheimer (Jul 26)
- Re: coredumps on setuid programs. George Boyce (Jul 22)
- Re: Bad Advise Harold van Aalderen (Jul 26)
- Re: Bad Advise Christopher Klaus (Jul 26)
- Re: Bad Advise Timothy Newsham (Jul 27)