Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1994_3

Bugtraq archives for 3rd quarter (Jul-Sep) 1994: Re: Bad Advise

Re: Bad Advise

Chris Ellwood (cellwoodgauss.ELEE.CalPoly.EDU)
Mon, 25 Jul 94 23:51:47 PDT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Harold van Aalderen: "Re: Bad Advise"
Previous message: smbresearch.att.com: "Re: Bad Advise"
In reply to: Christopher Klaus: "Bad Advise"
Next in thread: Harold van Aalderen: "Re: Bad Advise"

Christopher Klaus said...
> Here is some advise from Sun that I highly recommend you DO NOT DO.
> 
> If you look at the MAN page for ftpd, you will see the following 
> advise: 
> 
>      the following rules are recommended. 
>      ~ftp)
>           Make the home directory owned by ``ftp'' and unwritable
>           by anyone. 
> 
> I highly recommend you change that to owned by ``root''.  If anyone can log
> in as ftp, there is nothing to stop them from doing SITE CHMOD 777 to the
> main directory and putting .rhosts or .forward there allowing instant
> access. 

The man pages for many several versions of Ultrix, NeXT-Mach, and a few
other OS's give the same advise.  I think it may be from a standard BSD
mag page source.  While the Ultrix default ftpd doesn't support site
commands, the NeXT-Mach ftpd does, and having the ftp directory owned 
by ftp is rather foolish in any case.

- Chris Ellwood <cellwoodgauss.calpoly.edu>
EL/EE Dept. System Administrator - Cal Poly, San Luis Obispo

Next message: Harold van Aalderen: "Re: Bad Advise"
Previous message: smbresearch.att.com: "Re: Bad Advise"
In reply to: Christopher Klaus: "Bad Advise"
Next in thread: Harold van Aalderen: "Re: Bad Advise"