Firewalls: Re: anonymous ftp

Firewalls
(March 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: anonymous ftp
From:	smb @ research . att . com
Date:	Tue, 15 Mar 94 13:57:11 EST
To:	jim @ Tadpole . COM (Jim Thompson)
Cc:	z056716 @ uprc . com, firewalls @ GreatCircle . COM

	 Get one of the fancy in.ftpds that let you maintain 'several' accounts
	 in the anonymous way (e.g. they treat a list of users in the same way
	 that anonymous accounts are treated, chroot to the 'home directory', no
	 changing to other users, etc.)

	 Set up an 'account' for each user.  Put them all in different
	 directories.  Make all the home directories owner write+search mode
	 300.  Modify in.ftpd to create the files with a mask of 0400, and
	 disallow "DELE' and 'rename'.  You *probably* don't need bin/ls, and
	 thus dev/zero (suns), etc/passw, or etc/group.  I've not tried this, so
	 your milage may vary.   (If you chroot before execing in.ftpd (which
	 you don't need to do), you will need dev/zero on a Sun, unless in.ftpd
	 is staticly linked.)

	 Now the remote users can't over-write the files, can't delete them,
	 can't search the directory, and can't see other users' files.

You're talking about writing too much code, and using overly-complex
programs.  A vanilla ftpd will do, possibly aided and abetted by the
TCP wrapper.

Run chroot from inetd.conf.  Run a shell script from it that sets umask
to 077 and then execs ftpd.

Now -- in the chroot area, you have an /etc/passwd file that has one
account per user, with password.  They'll each have a home directory,
mode 700 and owned by the user.  Root never appears in that passwd
file, btw.  Everyone will log in as themselves, and get only those
permissions.  Nothing else should be readable/searchable by anyone
other than root, including the shell and passwd file in the chroot
area.  Folks aren't quite isolated by chroot -- but it shouldn't
matter; the other protections should be quite strong.  I trust Unix's
user/group/other mechanism a lot more than I trust fancy ftpd's.

You can eliminate that shell script by writing the program in C.  It's
about 10 lines long...

If this idea doesn't strike you as secure enough, you can use the TCP
wrapper.  If you know the set of possible source addresses for each
user, configure the wrapper to execute a chroot command to a per-user
area, set up as above, but with just one entry per passwd file.  If
someone spoofs an IP address, they'll still need to authenticate via a
password.  If a password is captured, the attacker still needs to spoof
an IP address.  And everyone is protected from everyone else by chroot.

Indexed By Date	Previous:	Re: Firewalls Digest V3 #79 From: owen @ netcom . com
Indexed By Date	Next:	Re: IP replacement protocols & firewalls From: smb @ research . att . com
Indexed By Thread	Previous:	Re: anonymous ftp From: alastair @ cadence . com (Alastair Young)
Indexed By Thread	Next:	Re: anonymous ftp From: heiser @ world . std . com (Bill Heiser)