Date: Mon, 1 Jan 1996 10:06:58 -0600 (CST) From: Joe Greco <jgreco@brasil.moneng.mei.com> To: mbarkah@hemi.com (Ade Barkah) Cc: hackers@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: Answer to /bin/ls and ftp (should be documented) Message-ID: <199601011606.KAA10803@brasil.moneng.mei.com> In-Reply-To: <199512310246.TAA13020@hemi.com> from "Ade Barkah" at Dec 30, 95 07:46:49 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> 3. Copy the new pwd.db file into ~ftp/etc, and make it only > readable to everyone (chmod a=r pwd.db.) You should have > two files in ~ftp/etc directory: pwd.db, and group. The > passwd file is not necessary. Here's an example of how > the ~ftp/etc directory might look: > > -r--r--r-- 1 root ftp 15 Dec 18 10:38 group > -r--r--r-- 1 root ftp 40960 Dec 18 19:14 pwd.db > > 4. Make sure you copy /bin/ls into ~ftp/bin, and make it only > executable by everyone (chmod a=x ls). The more paranoid among us will be even more cautious: you don't want people gaining a comprehensive listing of users on your system as easily as downloading the pwd.db file. I do something similar but with a twist: 3. Copy the new pwd.db and group files into ~ftp/etc, and make them both mode 0440. Change owner to "root.daemon". 4. Copy /bin/ls into ~ftp/bin. Change owner to "root.daemon", and change the mode to 2111... Now nobody can access your pwd.db or group files, but ls can, because it is a member of the appropriate group... I know this may seem overly paranoid to people, but you never know what tricks someone might use to gain access to your system, and the lower your profile, the safer you may be... ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601011606.KAA10803>