From owner-freebsd-questions  Mon Jan  1 08:08:08 1996
Return-Path: owner-questions
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id IAA25341
          for questions-outgoing; Mon, 1 Jan 1996 08:08:08 -0800 (PST)
Received: from brasil.moneng.mei.com (brasil.moneng.mei.com [151.186.109.160])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id IAA25336
          Mon, 1 Jan 1996 08:08:03 -0800 (PST)
Received: (from jgreco@localhost) by brasil.moneng.mei.com (8.7.Beta.1/8.7.Beta.1) id KAA10803; Mon, 1 Jan 1996 10:06:59 -0600
From: Joe Greco <jgreco@brasil.moneng.mei.com>
Message-Id: <199601011606.KAA10803@brasil.moneng.mei.com>
Subject: Re: Answer to /bin/ls and ftp (should be documented)
To: mbarkah@hemi.com (Ade Barkah)
Date: Mon, 1 Jan 1996 10:06:58 -0600 (CST)
Cc: hackers@FreeBSD.ORG, questions@FreeBSD.ORG
In-Reply-To: <199512310246.TAA13020@hemi.com> from "Ade Barkah" at Dec 30, 95 07:46:49 pm
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: owner-questions@FreeBSD.ORG
Precedence: bulk

>    3. Copy the new pwd.db file into ~ftp/etc, and make it only
>       readable to everyone (chmod a=r pwd.db.) You should have
>       two files in ~ftp/etc directory: pwd.db, and group. The
>       passwd file is not necessary. Here's an example of how
>       the ~ftp/etc directory might look:
> 
>       -r--r--r--  1 root  ftp     15 Dec 18 10:38 group
>       -r--r--r--  1 root  ftp  40960 Dec 18 19:14 pwd.db
> 
>    4. Make sure you copy /bin/ls into ~ftp/bin, and make it only
>       executable by everyone (chmod a=x ls).

The more paranoid among us will be even more cautious:  you don't want
people gaining a comprehensive listing of users on your system as easily as
downloading the pwd.db file.  I do something similar but with a twist:

3.  Copy the new pwd.db and group files into ~ftp/etc, and make them both
mode 0440.  Change owner to "root.daemon".
4.  Copy /bin/ls into ~ftp/bin.  Change owner to "root.daemon", and change
the mode to 2111...

Now nobody can access your pwd.db or group files, but ls can, because it is
a member of the appropriate group...

I know this may seem overly paranoid to people, but you never know what
tricks someone might use to gain access to your system, and the lower your
profile, the safer you may be...

... Joe

-------------------------------------------------------------------------------
Joe Greco - Systems Administrator			      jgreco@ns.sol.net
Solaria Public Access UNIX - Milwaukee, WI			   414/342-4847