OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: ftpd: the advisory version
From: Roger Espel Llima (espelIAGORA.NET)
Date: Wed Jun 28 2000 - 04:35:21 CDT

Jim Knoble <jmknoblePINT-STOWP.CX> wrote:
> D.J. Bernstein's 'publicfile' anonymous FTP server + HTTP server does
> exactly this, as well as chrooting to a restricted area. It's here:
>
> http://cr.yp.to/publicfile.html
>
> If all you need is anonymous FTP, it works fine (for user FTP,
> consider ssh/scp as a replacement).

I'll also point out that OpenBSD's ftpd (which supports many security
options, including an anon-only mode) has been ported to Linux. The
port adds optional support for PAM, on-the-fly compression, and an
internal 'ls'.

I've installed it on some servers; it's simple and works well.

The FreshMeat entry is at
http://freshmeat.net/appindex/1999/10/09/939509389.html

<rant mode on>
Don't you guys get tired of seeing how it's always the same apps that
have the most security holes? Wu-FTPd, Netscape Communicator, BIND,
Lynx, and a few others, seem to concentrate a fairly large part of the
Unix side of Bugtraq. (And I won't even mention MS's "active internet
scripting and downloading" mess).

Hell, Sendmail was once a rat's nest of security holes, and they seem to
mostly have cleaned up their act. Why can't other software maintainers
do the same, and audit their stuff? And if they don't, why don't we all
get more active about looking for, contributing to, and using
alternatives? It happened with Sendmail -- many of us are using Postfix
or Qmail nowadays.

After this latest bug, I've written off WuFTPd from my toolkit, at least
until it goes two years without a serious hole.
<rant mode off> 

--
Roger Espel Llima, espeliagora.net
http://www.iagora.com/~espel/index.html