Date: Mon, 19 Jul 1999 13:46:24 +0100 From: Karl Pielorz <kpielorz@tdx.co.uk> To: cpeters2@home.com Cc: freebsd-questions@FreeBSD.ORG Subject: Re: anonymous ftp file settings Message-ID: <37931E20.B5EB8C88@tdx.co.uk> References: <001601bed1e1$ebf06680$0700a8c0@charles.domain>
next in thread | previous in thread | raw e-mail | index | archive | help
"Charles A. Peters" wrote: > > I am running an anonymous ftp site, and in the /etc directory (actually the > /var/ftp/etc directory), there are 4 files, ftpmotd, group, passwd, and > pwd.db. These files are viewable by all users, and it appears to me that > there may be a security risk here. Can I delete group, passwd, and pwd.db > without breaking anything, or more appropriately, what is the best way to > handle this situation. Most ftp daemons need access to those files to display the correct group & ownership on files... If your serving anonymous ftp, you can try deleting them - most ftp daemons default to just displaying the UID / GID as numbers, instead of their text names... The other way is to create a 'fake' password file and either just put in entries for "ftp" and "ftpadmin" etc. (as needed) - but with fake/wrong (or no) passwords in there (Ditto for the 'group' file). As it stands, if the ftp directory has a _real_ copy of the password files (not so much the group files - but their not entirely innocent in their contents) someone could download your password file, and run a cracker through it - hoping to find the passwords contained therein... As to why they are needed - most ftp daemons chroot to the ftp directory as/when someone logs in. If they've chroot'ed into the ftp area - they can't access /etc/passwd /etc/group etc. anymore :-) -Kp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37931E20.B5EB8C88>