Bugtraq mailing list archives

Re: ftpd: the advisory version

From: Valdis.Kletnieks () VT EDU (Valdis Kletnieks)
Date: Fri, 30 Jun 2000 17:25:09 -0400


On Thu, 29 Jun 2000 14:25:34 CDT, Mike Eldridge <diz () CAFES NET>  said:

It would seem to me that the way it should have been done was a bind to
port 21 as root, then the control connection should drop root privileges
by setuid() to the incoming user. FTP data transfers should be passive by
default, binding to some unused random port above 1024.


Remember that FTP predates Unix.  The port-1024 thing came along a LOT later
than FTP did.  By the time the guys at Berkeley were doing their coding,
we were basically stuck with the 20/21.  You might want to ask on the IETF
list if anybody remembers the reason it was done that way (quite possibly
a Multics or TOPS-20 issue ;)

--
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech


<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>

Current thread:

Re: ftpd: the advisory version Valdis Kletnieks (Jun 30)
- Re: ftpd: the advisory version Tom Perrine (Jul 02)
- Conclusion to recent working WuFTPD Exploits Eric Hines (Jul 05)
- <Possible follow-ups>
- Re: ftpd: the advisory version Carson Gaspar (Jun 30)
  - Re: ftpd: the advisory version Mike Gleason (Jul 02)
  - [RHSA-2000:016-03] Multiple local imwheel vulnerabilities bugzilla () REDHAT COM (Jul 03)
  - Re: ftpd: the advisory version monti (Jul 05)
    - Re: ftpd: the advisory version D. J. Bernstein (Jul 06)
    - Re: ftpd: the advisory version monti (Jul 07)
    - Re: ftpd: the advisory version Mikael Olsson (Jul 07)
    - Re: ftpd: the advisory version David Maxwell (Jul 07)

(Thread continues...)