Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!caen!uflorida!gatech!hubcap!hubcap From: hubcap@hubcap.clemson.edu (System Janitor) Newsgroups: comp.unix.wizards Subject: Re: WARNING! Message-ID: <1991Apr15.140747.29793@hubcap.clemson.edu> Date: 15 Apr 91 14:07:47 GMT References: Organization: Clemson University Lines: 20 * * Ummm, unless you wrote your own ftpd, the standard BSD one explicitly * chroot's anonymous FTP requests to the logon directory of the user * 'ftp'. In every system manual, where I've seen how to set up * anonymous FTP, it mentions this, and tells the system manager never to * make the logon directory be '/'. But the man page for ftpd (usually) also says something like: ~ftp/etc) Make this directory owned by the superuser and unwrit- able by anyone. The files passwd(5) and group(5) must be present for the ls command to work properly. ... and they never warn you to delete the encrypted password field from ~/ftp/etc/passwd. Lots of people have their *real* password files available via anonymous ftp, and the manual more or less *tells* them to do it! -Mike