OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 3rd quarter (Jul-Sep) 1994: Re: Bad Advise

Re: Bad Advise

Chris Ellwood (cellwoodgauss.ELEE.CalPoly.EDU)
Mon, 25 Jul 94 23:51:47 PDT

Christopher Klaus said...
> Here is some advise from Sun that I highly recommend you DO NOT DO.
> 
> If you look at the MAN page for ftpd, you will see the following 
> advise: 
> 
>      the following rules are recommended. 
>      ~ftp)
>           Make the home directory owned by ``ftp'' and unwritable
>           by anyone. 
> 
> I highly recommend you change that to owned by ``root''.  If anyone can log
> in as ftp, there is nothing to stop them from doing SITE CHMOD 777 to the
> main directory and putting .rhosts or .forward there allowing instant
> access. 

The man pages for many several versions of Ultrix, NeXT-Mach, and a few
other OS's give the same advise.  I think it may be from a standard BSD
mag page source.  While the Ultrix default ftpd doesn't support site
commands, the NeXT-Mach ftpd does, and having the ftp directory owned 
by ftp is rather foolish in any case.

- Chris Ellwood <cellwoodgauss.calpoly.edu>
EL/EE Dept. System Administrator - Cal Poly, San Luis Obispo