Bugtraq mailing list archives

Re: Bad Advise

From: smb () research att com (smb () research att com)
Date: Tue, 26 Jul 94 00:28:37 EDT


         
         Here is some advise from Sun that I highly recommend you DO NOT DO.

         If you look at the MAN page for ftpd, you will see the following 
         advise: 

              the following rules are recommended. 
              ~ftp)
                   Make the home directory owned by ``ftp'' and unwritable
                   by anyone. 

         I highly recommend you change that to owned by ``root''.  If anyone can lo
        g
         in as ftp, there is nothing to stop them from doing SITE CHMOD 777 to the
         main directory and putting .rhosts or .forward there allowing instant
         access. 

         With advise like that, who needs trojans? 

Of course, Sun's ftpd doesn't support chmod.  Not that that excuses their
advice, but it's not *quite* as bad...  (I'm talking about 4.1.x, for some
values of x.)

Current thread:

coredumps on setuid programs. ddzehr () telecom ksu edu (Jul 22)
- Re: coredumps on setuid programs. George Boyce (Jul 22)
  - Bad Advise Christopher Klaus (Jul 24)
    - Re: Bad Advise smb () research att com (Jul 25)
    - Re: Bad Advise Christopher Klaus (Jul 26)
    - Re: Bad Advise Chris Ellwood (Jul 25)
    - Re: Bad Advise G.J.W. Hagenaars (Jul 26)
    - Re: Bad Advise Mark Moraes (Jul 26)
    - Re: Bad Advise Philip Yzarn de Louraille (Jul 27)
    - Re: Bad Advise jim () Tadpole COM (Jul 26)
    - Re: Re: Bad Advise Pete Hartman (Jul 26)
    - Re: Bad Advise Evil Pete (Jul 26)
    - Re: Bad Advise David Lawrence Oppenheimer (Jul 26)
    - Re: Bad Advise Harold van Aalderen (Jul 26)

(Thread continues...)