From owner-freebsd-questions Thu Aug 22 17:02:09 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA05661 for questions-outgoing; Thu, 22 Aug 1996 17:02:09 -0700 (PDT) Received: from shell.aros.net (root@shell.aros.net [205.164.111.19]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA05654 for ; Thu, 22 Aug 1996 17:02:04 -0700 (PDT) Received: (from angio@localhost) by shell.aros.net (8.7.5/8.7.3) id SAA04608; Thu, 22 Aug 1996 18:02:00 -0600 (MDT) From: Dave Andersen Message-Id: <199608230002.SAA04608@shell.aros.net> Subject: Re: ftpd security problem To: jln@vhm.com (Joe Nieten) Date: Thu, 22 Aug 1996 18:02:00 -0600 (MDT) Cc: questions@FreeBSD.ORG In-Reply-To: <2.2.32.19960822155041.00696d24@mailman.vhm.com> from Joe Nieten at "Aug 22, 96 10:50:41 am" X-Mailer: ELM [version 2.4ME+ PL13 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk wuftpd will do a chroot() to their directory if you set their home directory up as something like: /home/./a/angio -- it'll chroot to /home before allowing the user access. I believe that's all explained in the wuftpd man pages, but I could be wrong. -Dave Andersen Lo and behold, Joe Nieten once said: > How can I prevent a user from roaming all over my system through ftp? I > thought ftpd did a change root to keep users from getting out of their own > directories. The user is put in their home directory initially ... however > cd /etc puts them in that directory and downloading the password file is > only a key stroke away. > > I just had a user that got ahold of my password file and sold the user ids > to a marketing company and now we are getting bombarded with unsolicited > e-mail. I've eliminated the user ... :) ... but the problem still remains. > > > Thanks for any advice. > Joe > -- angio@aros.net Complete virtual hosting and business-oriented system administration Internet services. (WWW, FTP, email) http://www.aros.net/ http://www.aros.net/about/virtual "There are only two industries that refer to their customers as 'users'."