Bug 30690

Summary: Bad advice in ftpd man page
Product: Base System Reporter: Alan Batie <alan>
Component: miscAssignee: Mike Heffner <mikeh>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.3-STABLE   
Hardware: Any   
OS: Any   

Description Alan Batie 2001-09-20 17:35:39 UTC 
>Number:         30690
>Category:       misc
>Synopsis:       Bad advice in ftpd man page
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 20 09:40:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Alan Batie
>Release:        FreeBSD 4.3-STABLE i386
>Organization:
RainDrop Laboratories
>Environment:
System: FreeBSD agora.rdrop.com 4.3-STABLE FreeBSD 4.3-STABLE #3: Wed Sep 5 13:36:38 PDT 2001 root@aggie.rdrop.com:/usr/src/freebsd/sys/compile/AGORA i386


>Description:
	The ftpd man page, in the section on setting up an anonymous
	ftp server, recommends setting ~ftp/pub world writable.  This
	is a good way to end up with a disk full of warez:

	    ~ftp/pub  Make this directory mode 777 and owned by ``ftp''.
                      Guests can then place files which are to be accessible
                      via the anonymous account in this directory.

>How-To-Repeat:
	
>Fix:

        Change to read (or something similar):

	    ~ftp/pub  Make this directory mode 755 and owned by ``ftp''.
		      Place the files you want to share in here with
		      mode 644.  If you want local users to be able to
		      publish files here, create subdirectories for them,
		      owned by their account and group and mode 755.
		      Be sure to warn them not to make anything writeable 
		      by "world", or your disk will end up getting filled
		      with "warez" (illegal copies of software).
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Comment 1 Alan Batie 2001-09-20 17:40:01 UTC 
	The ftpd man page, in the section on setting up an anonymous
	ftp server, recommends setting ~ftp/pub world writable.  This
	is a good way to end up with a disk full of warez:

	    ~ftp/pub  Make this directory mode 777 and owned by ``ftp''.
                      Guests can then place files which are to be accessible
                      via the anonymous account in this directory.

Fix: 

Change to read (or something similar):

	    ~ftp/pub  Make this directory mode 755 and owned by ``ftp''.
		      Place the files you want to share in here with
		      mode 644.  If you want local users to be able to
		      publish files here, create subdirectories for them,
		      owned by their account and group and mode 755.
		      Be sure to warn them not to make anything writeable 
		      by "world", or your disk will end up getting filled
		      with "warez" (illegal copies of software).
Comment 2 mheffner 2001-09-23 03:31:50 UTC 
On 20-Sep-2001 Alan Batie wrote:
| 
| 
|         Change to read (or something similar):
| 
|           ~ftp/pub  Make this directory mode 755 and owned by ``ftp''.
|                     Place the files you want to share in here with
|                     mode 644.  If you want local users to be able to
|                     publish files here, create subdirectories for them,
|                     owned by their account and group and mode 755.
|                     Be sure to warn them not to make anything writeable 
|                     by "world", or your disk will end up getting filled
|                     with "warez" (illegal copies of software).

How about the following? (stolen from the lukemftpd manpage)

           ~ftp/pub   This directory and the subdirectories beneath it
                      should be owned by the users and groups responsible
                      for placing files in them, and be writable only by
                      them (mode 755 or 775).  They should not be owned or
                      writable by ftp or its group.


Mike

-- 
  Mike Heffner     <mheffner@[acm.]vt.edu>
  Blacksburg, VA       <mikeh@FreeBSD.org>
Comment 3 Mike Heffner freebsd_committer freebsd_triage 2001-09-25 03:48:29 UTC 
State Changed
From-To: open->analyzed

Committed to current.
Comment 4 Mike Heffner freebsd_committer freebsd_triage 2001-09-25 03:48:29 UTC 
Responsible Changed
From-To: freebsd-bugs->mikeh

MFC reminder.
Comment 5 Mike Heffner freebsd_committer freebsd_triage 2001-10-15 20:38:26 UTC 
State Changed
From-To: analyzed->closed

Fix MFC'd.