Re: configuring ftpd for upload

[Alex de Joode <usura@zedz.net>]

On Fri, Sep 01, 2000 at 04:43:28AM -0400, Clay Dowling wrote:
> First, make sure you've patched ftpd.  There was a potential exploit
> against ftpd as it shipped on the 2.7 cd.  The patch is available from the
> OpenBSD web site.
> 
> Next, create a user named ftp.  The user's home directory will be the root
> of the anonymous ftp tree.  Make a pub directory with appropriate
> permissions (550 or 555 seem reasonable; I used 555).  Make an
> incoming directory also with appropriate permissions.  I used 731, so that
> files could be uploaded but not seen or damaged.  The directories are
> owned by root and belong to the ftp group.

This might leave you open to becoming a warez server; anyone who
knows the exact name of the uploaded file can retrieve it ..
 
> Before taking this advice, read the man page again; I figured out how to
> set all of this up from the man page.  Also evaluate those directory
> permissions and make sure you can't see any security holes from them.
> I enjoy UNIX administration, but I can't claim to be brilliant at it.  I'm
> sure that somebody on this list can point out large holes in my setup.
> 
> Clay
> 
> 
> On Fri, 1 Sep 2000, [iso-8859-1] Saâd KADHI wrote:
> 
> > I'm sorry if this seems a silly question but I'm trying to configure an
> > OpenBSD 2.7 box for Anonymous FTP. I want my anonymous users to be able
> > to:
> > -retrieve files from the pub directory
> > -store files on upload directory without being able to delete the
> > directory or delete previously stored files
> 
> 
> 

-- 
Exit! Stage Left!