Date: Sun, 31 Dec 2000 16:54:09 -0300 (ART) From: Fernando Schapachnik <fpscha@ns1.via-net-works.net.ar> To: Chris Faulhaber <jedgar@fxp.org> Cc: Fernando Schapachnik <fschapachnik@vianetworks.com.ar>, security@freebsd.org Subject: Re: Proposed modification to ftpd Message-ID: <200012311954.QAA71938@ns1.via-net-works.net.ar> In-Reply-To: <20001231110840.A44549@earth.causticlabs.com> "from Chris Faulhaber at Dec 31, 2000 11:08:40 am"
next in thread | previous in thread | raw e-mail | index | archive | help
En un mensaje anterior, Chris Faulhaber escribió:
> On Fri, Dec 29, 2000 at 01:29:45PM -0300, Fernando Schapachnik wrote:
> > Hello:
> > I just submitted PR bin/23944, which contains a patch against
> > 4.2R ftpd to add the following funcionality to chrooted users: The
> > user's home dir is splitted by the first '/./'. The first part is
> > used to chroot, and the second to chdir (eg,
> > '/usr/local/www/data/site/./htdocs', means chroot to
> > /usr/local/www/data/site, and then chdir to htdocs).
> >
>
> Isn't it the client's responsibility to CWD ?
Should be, but if you are doing virtual hosting chances are that your
users will be clueless. A tipical environment for a hosting site may
look like:
virtual_root/
virtual_root/htdocs
virtual_root/logs
So to avoid support calls ("I upload my .html, but I see nothing in
my browser"), you make them auto cd to htdocs. This is why wu-ftpd
includes this feature in the first place.
So, if you -like me- are tired of upgrading wu-ftpd because of
security problems every now and then, and have hundreds of virtual
sites to support, you'd better make it transparent to your users when
you switch daemons, or they will kill you.
Regards.
Fernando P. Schapachnik
Administración de la red
VIA NET.WORKS ARGENTINA S.A.
fschapachnik@vianetworks.com.ar
Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012311954.QAA71938>