Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: Bad Advise
From: harold () sara nl (Harold van Aalderen)
Date: Tue, 26 Jul 1994 14:30:08 +0200

In message <199407242039.QAA17499 () shadow net> you write:


Here is some advise from Sun that I highly recommend you DO NOT DO.

If you look at the MAN page for ftpd, you will see the following 
advise: 

     the following rules are recommended. 
     ~ftp)
          Make the home directory owned by ``ftp'' and unwritable
          by anyone. 



I haven't seen a system yet where this is _NOT_ in the manpage of ftpd.
I guess it was in the original BSD manpage and nobody ever bothers 
to update it.

AIX all versions, IRIX all versions, UNICOS and as mentioned SunOS
all state the ~ftp should be owned by user ftp and mode 555. Some of
these systems do allow the SITE CHMOD command.
The first aftp-server I installed this way was hacked within 24 hours.
I informed CERT-NL (Dutch version of CERT) I got the reply that I should
follow the CERT recommendations about setting up anonymous ftp.


Harold van Aalderen                           |email: harold () sara nl
system programmer/site security contact       | 
SARA (Academic Computing Services Amsterdam)  |phone: +31 20 5923000
PO Box 94613 1090 GP Amsterdam The Netherlands|fax  : +31 20 6683167

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]