Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bad Advise

From: shipley () merde dis org (Evil Pete)
Date: Tue, 26 Jul 1994 16:01:14 -0700


Christopher W. Klaus wrote:

% Here is some advise from Sun that I highly recommend you DO NOT DO.
% 
%           Make the home directory owned by ``ftp'' and unwritable
%           by anyone. 
% 
% I highly recommend you change that to owned by ``root''.  

I was thinking about ownership of the whole ftp-tree by user `nobody'. Are
there any benefits to using `root' instead of `nobody'?



personaly I have a dedicated ftp server that mounts the /ftp partition
via tcp-nfs as a readonly partition. (I only use tcp NFS because cause
they are more resistant to udp NFS attacks).  

for those with suns I suppose you can use the loopback filesystem
and loopback mount the file system readonly then set the readonly mount as
the chroot for ftp as the readonly mount.


for example:
    passwd:
        ftp:*:12:11:FTP User Uid:/ftp:/no exist
    fstab:
        /dev/sd3d       /home/ftp       4.2     rw,nosuid       1 3
        /home/ftp       /ftp            lofs    ro,nosuid,noquota       0 0

thus people that ftp will not be able to do anything to the partition
and yet user can add/delete/modify files.


WARNING:  lofs has a security bug in SunOS 4.0.3 (fixed in 4.1 and higher)
        that allowed root to delete any file even if the filesystem was
        mounted readonly.
Previous By Date Next
Previous By Thread Next

Current thread: