Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!uunet!snorkelwacker!paperboy!meissner From: meissner@osf.org (Michael Meissner) Newsgroups: comp.protocols.tcp-ip Subject: Re: anonymous ftp, and the dangers thereof Message-ID: Date: 6 Jun 90 18:01:57 GMT References: <19001:Jun616:38:3890@stealth.acf.nyu.edu> Sender: news@OSF.ORG Distribution: usa Organization: Open Software Foundation Lines: 24 In-reply-to: brnstnd@stealth.acf.nyu.edu's message of 6 Jun 90 16:38:38 GMT In article <19001:Jun616:38:3890@stealth.acf.nyu.edu> brnstnd@stealth.acf.nyu.edu writes: | In article <1990Apr21.222928.24498@Solbourne.COM> Warner Losh writes: | > What is needed is a good guide to how to setup anonymous FTP correctly | > so that nobody can steal any real files. | | Yeah. Let's start by criticizing the SRI White Paper's recommendations. | It says ``you may wish'' to remove all non-ftp accounts from the passwd | file inside the ftp directory; it should say ``you should, no matter | what.'' It recommends creation of ~ftp/pub, owner ftp, mode 777; that | should be mode 577. Anyone want to continue this list? Actually I prefer to customize the passwd file differently -- you remove all users who don't have files stored in the ftp archives, and put *'s for the passwords of all remaining users. This way, when somebody does a dir on the files, you have a username to mail to for questions, and the like, but still does not give out the encrypted password. -- Michael Meissner email: meissner@osf.org phone: 617-621-8861 Open Software Foundation, 11 Cambridge Center, Cambridge, MA Catproof is an oxymoron, Childproof is nearly so