Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!rutgers!mit-eddie!minya!jc
From: jc@minya.UUCP (John Chambers)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: anonymous ftp, and the dangers thereof
Message-ID: <392@minya.UUCP>
Date: 8 Jun 90 03:44:16 GMT
Followup-To: s
Lines: 26

> Some sites keep anonymous FTP directories to be world-writable,
> letting any random internet user drop a file in a directory.  If you
> see a file named GETMONEY.txt, makemoney.doc, or sex-bbs.doc (or
> variations on same) in your FTP directory, this is why.  It is not
> good practice to allow random anonymous users to scribble into
> directories ...

The obvious counter-example to this is /usr/spool/uucppublic, which
is almost always world-writable, yet there seem to be no reports of
even minor problems with this.  It's usually considered a useful
part of uucp, and an assortment of tools are around (uuto/uupick for
example) are layered on top of it.

It's true (in fact, it's obvious) that one could fill up a victim's
disk partition.  But this isn't doesn't seem to trigger call for 
shutdowns of all uucp sites until the horrible security problems 
are fixed.  (Well, OK, users of competing packages *do* make such
calls, but not uucp's users. ;-)

So why is it such a disaster if an anon-ftp directory is writable?

-- 
Uucp: ...!{harvard.edu,ima.com,mit-eddie.edu}!minya!jc (John Chambers)
Home: 1-617-484-6393
Work: 1-508-952-3274
Cute-Saying: It's never to late to have a happy childhood.