Bugtraq mailing list archives
Re: ftpd: the advisory version
From: Valdis.Kletnieks () VT EDU (Valdis Kletnieks)
Date: Fri, 30 Jun 2000 17:25:09 -0400
On Thu, 29 Jun 2000 14:25:34 CDT, Mike Eldridge <diz () CAFES NET> said:
It would seem to me that the way it should have been done was a bind to port 21 as root, then the control connection should drop root privileges by setuid() to the incoming user. FTP data transfers should be passive by default, binding to some unused random port above 1024.
Remember that FTP predates Unix. The port-1024 thing came along a LOT later than FTP did. By the time the guys at Berkeley were doing their coding, we were basically stuck with the 20/21. You might want to ask on the IETF list if anybody remembers the reason it was done that way (quite possibly a Multics or TOPS-20 issue ;) -- Valdis Kletnieks Operating Systems Analyst Virginia Tech <HR NOSHADE> <UL> <LI>application/pgp-signature attachment: stored </UL>
Current thread:
- Re: ftpd: the advisory version Valdis Kletnieks (Jun 30)
- Re: ftpd: the advisory version Tom Perrine (Jul 02)
- Conclusion to recent working WuFTPD Exploits Eric Hines (Jul 05)
- <Possible follow-ups>
- Re: ftpd: the advisory version Carson Gaspar (Jun 30)
- Re: ftpd: the advisory version Mike Gleason (Jul 02)
- [RHSA-2000:016-03] Multiple local imwheel vulnerabilities bugzilla () REDHAT COM (Jul 03)
- Re: ftpd: the advisory version monti (Jul 05)
- Re: ftpd: the advisory version D. J. Bernstein (Jul 06)
- Re: ftpd: the advisory version monti (Jul 07)
- Re: ftpd: the advisory version Mikael Olsson (Jul 07)
- Re: ftpd: the advisory version David Maxwell (Jul 07)