From owner-freebsd-questions Mon Jul 19 5:50:42 1999 Delivered-To: freebsd-questions@freebsd.org Received: from caladan.tdx.co.uk (caladan.tdx.co.uk [195.188.177.4]) by hub.freebsd.org (Postfix) with ESMTP id 90E2115132 for ; Mon, 19 Jul 1999 05:50:06 -0700 (PDT) (envelope-from kpielorz@tdx.co.uk) Received: from tdx.co.uk (lorca-tx.tdx.co.uk [195.188.177.242]) by caladan.tdx.co.uk (8.9.3/8.9.3/Kp) with ESMTP id NAA64751; Mon, 19 Jul 1999 13:47:08 +0100 (BST) Message-ID: <37931E20.B5EB8C88@tdx.co.uk> Date: Mon, 19 Jul 1999 13:46:24 +0100 From: Karl Pielorz Organization: TDX - The Digital eXchange X-Mailer: Mozilla 4.61 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: cpeters2@home.com Cc: freebsd-questions@FreeBSD.ORG Subject: Re: anonymous ftp file settings References: <001601bed1e1$ebf06680$0700a8c0@charles.domain> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Charles A. Peters" wrote: > > I am running an anonymous ftp site, and in the /etc directory (actually the > /var/ftp/etc directory), there are 4 files, ftpmotd, group, passwd, and > pwd.db. These files are viewable by all users, and it appears to me that > there may be a security risk here. Can I delete group, passwd, and pwd.db > without breaking anything, or more appropriately, what is the best way to > handle this situation. Most ftp daemons need access to those files to display the correct group & ownership on files... If your serving anonymous ftp, you can try deleting them - most ftp daemons default to just displaying the UID / GID as numbers, instead of their text names... The other way is to create a 'fake' password file and either just put in entries for "ftp" and "ftpadmin" etc. (as needed) - but with fake/wrong (or no) passwords in there (Ditto for the 'group' file). As it stands, if the ftp directory has a _real_ copy of the password files (not so much the group files - but their not entirely innocent in their contents) someone could download your password file, and run a cracker through it - hoping to find the passwords contained therein... As to why they are needed - most ftp daemons chroot to the ftp directory as/when someone logs in. If they've chroot'ed into the ftp area - they can't access /etc/passwd /etc/group etc. anymore :-) -Kp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message