Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!think.com!paperboy!meissner From: meissner@osf.org (Michael Meissner) Newsgroups: comp.unix.wizards Subject: Re: WARNING! Message-ID: Date: 10 Apr 91 21:53:14 GMT References: <26520@adm.brl.mil> Sender: news@OSF.ORG Organization: Open Software Foundation Lines: 25 In-reply-to: anamaria@saffron.wpd.sgi.com's message of 10 Apr 91 17:46:54 GMT In article <26520@adm.brl.mil> anamaria@saffron.wpd.sgi.com (Ana Maria De Alvare') writes: | I want to make it clear that a person can has access to someone machine's | password file throught the internet without having any accounts directly | related to that person. For example, throught the ftp anonymous service, | I can copy a password file over. This scenario is considered access to | the remote machine in question. However, public anonymous access to a | remote machine, is not being thought as authorizing anonymous browsing, | and copying over files other than the ones explicitly publish with | the ftp anonymous procedures. In other words, ftp anonymous access is not | look as individual access rights. So beware system administrators to | curtail the amount of access you give away to ftp anonymous services. Ummm, unless you wrote your own ftpd, the standard BSD one explicitly chroot's anonymous FTP requests to the logon directory of the user 'ftp'. In every system manual, where I've seen how to set up anonymous FTP, it mentions this, and tells the system manager never to make the logon directory be '/'. -- Michael Meissner email: meissner@osf.org phone: 617-621-8861 Open Software Foundation, 11 Cambridge Center, Cambridge, MA, 02142 Considering the flames and intolerance, shouldn't USENET be spelled ABUSENET?