[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: configuring ftpd for upload

To: Alex de Joode <usura@zedz.net>
Subject: Re: configuring ftpd for upload
From: Saad KADHI <obsidian@cybercable.fr>
Date: Sun, 03 Sep 2000 12:08:20 +0200
Cc: misc@openbsd.org
Organization: SOFTWAY
References: <39AF67E8.2B819062@neurocom.com> <Pine.BSO.4.10.10009010434510.32181-100000@web.obrienscafe.com> <20000901225201.A26290@outpost.zedz.net>

Hi all,

Thx for all the replies. Here are some comments:

> On Fri, Sep 01, 2000 at 04:43:28AM -0400, Clay Dowling wrote:
> > First, make sure you've patched ftpd.  There was a potential exploit
> > against ftpd as it shipped on the 2.7 cd.  The patch is available from the
> > OpenBSD web site.
> >
> > Next, create a user named ftp.  The user's home directory will be the root
> > of the anonymous ftp tree.  Make a pub directory with appropriate
> > permissions (550 or 555 seem reasonable; I used 555).  Make an
> > incoming directory also with appropriate permissions.  I used 731, so that
> > files could be uploaded but not seen or damaged.  The directories are
> > owned by root and belong to the ftp group.

I've done this but I've put incoming dir in 1731 (731+sticky bit). I don't know
if this sticky bit is really useful since all connections are done with the
anonymous account. What I'm concerned with someone being able to delete the
incoming. The ideal would be something like:
all users can upload sth in the incoming directory
all users might see what's in this directory
NOBODY can delete what's in this directory apart from root who might moves
files from incoming to pub.

I thought using chflags w/ uappnd was smart but I didn't know that if you
created sub-subdirs in incoming you can delete them!

> This might leave you open to becoming a warez server; anyone who
> knows the exact name of the uploaded file can retrieve it ..

Correct but not in my case. This will be an Intranet server. the goal of this
server is to allow my coworkers to be able to load files/docs/service
packs/patches... into the incoming dir. A script will warn the superuser of new
stuff in the incoming dir afterwhat (s)he will connect and then move the files
to the pub dir within the correct subdir (i386/openbsd/patches ...)

> > Before taking this advice, read the man page again; I figured out how to
> > set all of this up from the man page.  Also evaluate those directory
> > permissions and make sure you can't see any security holes from them.
> > I enjoy UNIX administration, but I can't claim to be brilliant at it.  I'm
> > sure that somebody on this list can point out large holes in my setup.
> >
> > Clay
> >
> >
> > On Fri, 1 Sep 2000, [iso-8859-1] Saād KADHI wrote:
> >
> > > I'm sorry if this seems a silly question but I'm trying to configure an
> > > OpenBSD 2.7 box for Anonymous FTP. I want my anonymous users to be able
> > > to:
> > > -retrieve files from the pub directory
> > > -store files on upload directory without being able to delete the
> > > directory or delete previously stored files
> >
> >
> >
>
> --
> Exit! Stage Left!

--
Saad KADHI -- Security Engineer
---------------------------------
perl -e 'print ($myself=pack(c2,unpack(c,EOF)-3,(((hex(0x666)/6)-666)/2)-66+4),
pack(c3,((int(exp(666)/10e287)+int(log(666)*2))*2)+10,int(crypt(ski,72)),oct(12)));'

Follow-Ups:
- Re: configuring ftpd for upload
  - From: Andreas Gunnarsson <andreas@crt.se>

References:
- configuring ftpd for upload
  - From: Saād KADHI <Saad.KADHI@neurocom.com>
- Re: configuring ftpd for upload
  - From: Clay Dowling <clay@obrienscafe.com>
- Re: configuring ftpd for upload
  - From: Alex de Joode <usura@zedz.net>

Prev by Date: Re: mail server setup doc's
Next by Date: Re: Is there a need for a hard copy OpenBSD documentation project?
Prev by thread: Re: configuring ftpd for upload
Next by thread: Re: configuring ftpd for upload
Index(es):
- Date
- Thread