Bugtraq mailing list archives
Re: ftpd: the advisory version
From: espel () IAGORA NET (Roger Espel Llima)
Date: Wed, 28 Jun 2000 11:35:21 +0200
Jim Knoble <jmknoble () PINT-STOWP CX> wrote:
D.J. Bernstein's 'publicfile' anonymous FTP server + HTTP server does exactly this, as well as chrooting to a restricted area. It's here: http://cr.yp.to/publicfile.html If all you need is anonymous FTP, it works fine (for user FTP, consider ssh/scp as a replacement).
I'll also point out that OpenBSD's ftpd (which supports many security options, including an anon-only mode) has been ported to Linux. The port adds optional support for PAM, on-the-fly compression, and an internal 'ls'. I've installed it on some servers; it's simple and works well. The FreshMeat entry is at http://freshmeat.net/appindex/1999/10/09/939509389.html <rant mode on> Don't you guys get tired of seeing how it's always the same apps that have the most security holes? Wu-FTPd, Netscape Communicator, BIND, Lynx, and a few others, seem to concentrate a fairly large part of the Unix side of Bugtraq. (And I won't even mention MS's "active internet scripting and downloading" mess). Hell, Sendmail was once a rat's nest of security holes, and they seem to mostly have cleaned up their act. Why can't other software maintainers do the same, and audit their stuff? And if they don't, why don't we all get more active about looking for, contributing to, and using alternatives? It happened with Sendmail -- many of us are using Postfix or Qmail nowadays. After this latest bug, I've written off WuFTPd from my toolkit, at least until it goes two years without a serious hole. <rant mode off> -- Roger Espel Llima, espel () iagora net http://www.iagora.com/~espel/index.html
Current thread:
- Re: ftpd: the advisory version, (continued)
- Re: ftpd: the advisory version Dan Harkless (Jun 27)
- Re: ftpd: the advisory version Teodor Cimpoesu (Jun 28)
- Re: ftpd: the advisory version Sebastian (Jun 28)
- Re: ftpd: the advisory version Kasatenko Ivan Alex. (Jun 29)
- Re: ftpd: the advisory version Barney Wolff (Jun 29)
- Re: ftpd: the advisory version Sebastian (Jun 29)
- (forw) Re: Netscape ftp Server (fwd) Elias Levy (Jun 29)
- Re: ftpd: the advisory version Juergen P. Meier (Jun 30)
- SecureXpert Advisory [SX-20000620-1] SecureXpert DIRECT Sender (Jun 30)
- SecureXpert Advisory [SX-20000620-3] SecureXpert DIRECT Sender (Jun 30)
- Re: ftpd: the advisory version Dan Harkless (Jun 27)
- Re: ftpd: the advisory version Roger Espel Llima (Jun 28)
- Re: ftpd: the advisory version Kragen Sitaker (Jun 28)