Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!samsung!think!Think.COM!barmar
From: barmar@Think.COM
Newsgroups: comp.unix.wizards
Subject: Re: ftp using .rhosts or rhsts.equiv
Keywords: ftp, .rhosts
Message-ID: <32098@news.Think.COM>
Date: 9 Dec 89 04:22:47 GMT
References: <Dec.8.16.10.03.1989.20166@pilot.njin.net>
Sender: news@Think.COM
Organization: Thinking Machines Corporation, Cambridge MA
Lines: 21

In article <Dec.8.16.10.03.1989.20166@pilot.njin.net> drears@pilot.njin.net (Dennis G. Rears) writes:
>  I thinking of changing the ftp servers on systems that I have
>control over so that the behaviour mimics rlogin/rsh.
>Is there any reason why I shouldn't do this?

It seems like a reasonable thing, but there are a number of things you'll
have to watch out for when you do it.

For security, ftp should use a privileged port to connect to the daemon,
and ftpd should check that the foreign port is privileged.  This prevents
users from spoofing with "telnet <host> 20".

However, this means that you'll have to make ftp setuid root.  But much of
the program probably assumes that it is running under the invoker's userid.
It should change its effective userid to its real userid except when it is
opening the port.

Barry Margolin, Thinking Machines Corp.

barmar@think.com
{uunet,harvard}!think!barmar