home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.security.misc
- Path: sparky!uunet!mcsun!sunic!aun.uninett.no!ugle.unit.no!flipper.pvv.unit.no!agulbra
- From: agulbra@flipper.pvv.unit.no (Arnt Gulbrandsen)
- Subject: Re: anonymous FTP checklist
- Message-ID: <1992Nov22.021756.25285@ugle.unit.no>
- Sender: news@ugle.unit.no (NetNews Administrator)
- Organization: ProgramVareVerkstedet - UNIT
- References: <francis.722155745@monod> <drector.722195714@math.uci.edu>
- Date: Sun, 22 Nov 92 02:17:56 GMT
- Lines: 27
-
- In article <drector.722195714@math.uci.edu> drector@math.uci.edu (David Rector) writes:
- ...
- >If you find it necessary to have an "incoming" directory, that is a
- >directory with write privileges, be sure to check it regularly for
- >unwanted material, or you might find yourself playing host to an
- >unwanted---or even illegal---bulletin board. A favorite trick of
- >bb creators is to hide their files from the ls command by prefixing the
- >file names with periods or other unprintable characters. Use the
- >-a option to ls, or use du, to search for unwanted files.
- >
- >I need hardly add that I am a recent victim of this scam. I forgot
- >about the -a option.
-
- I, too, once had 100 FTP logins in 24 hours... my advice is to patch
- the ftp daemon so files uploaded by guests have to be chown'd or cp'd
- before they can be downloaded by guests.
-
- The change is easy enough, you insert something like this immediately
- after the check for special files (search for 'plain file' in ftpd.c):
- if ((guest)&&(st.st_uid==(getpwnam("ftp")->pw_uid))) {
- reply(550, "%s: not retrievable by guests.", name);
- goto done;
- }
- This may not be perfect C, I typed it from memory, but you get the
- drift.
-
- --Arnt
-
