Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!caen!ox.com!ox.com!emv
From: emv@ox.com (Ed Vielmetti)
Newsgroups: comp.unix.wizards
Subject: Re: Wizard-level questions
Message-ID: <EMV.91Feb27164410@poe.aa.ox.com>
Date: 27 Feb 91 22:44:10 GMT
References: <16048@sdcc6.ucsd.edu> <1991Jan26.142403.22812@mp.cs.niu.edu>
	<2285@tuvie.UUCP>
Sender: usenet@ox.com (Usenet News Administrator)
Organization: OTA Limited Partnership, Ann Arbor MI.
Lines: 22
In-Reply-To: mike@vlsivie.tuwien.ac.at's message of 29 Jan 91 11:49:00 GMT

In article <2285@tuvie.UUCP> mike@vlsivie.tuwien.ac.at (Michael K. Gschwind) writes:

   > I hope not.  Otherwise permissions on directories wouldn't do much.  I
   >do think the system design would have been cleaner if you only accessed
   >by i-node number, and mapping filename to inode was done outside the kernel.

   This is what is done on Apollo's DomainOS UNIX-clone. It is however a
   security nightmare. Things like chroot don't work, so you can't support
   anonymous ftp et al. Neat idea, but isn't fully UNIX compatible.

There's no particular reason that anonymous ftp requires the chroot()
system call.  Granted, it makes it handy, but an alternative
implementation could simply inspect every filename to be sure that the
user didn't try to ../.. themself out of the protected area.

See dabo.ifs.umich.edu for an ftpd that does secure anonymous ftp for
the Apollo.

-- 
 Msen	Edward Vielmetti
/|---	moderator, comp.archives
	emv@msen.com