Subject: Re: Anonymous FTP permissions
To: None <netbsd-help@NetBSD.ORG>
From: Alex R.N. Wetmore <alexw+@andrew.cmu.edu>
List: netbsd-help
Date: 01/04/1996 16:41:18
Excerpts from internet.computing.netbsd.netbsd-help: 4-Jan-96 Re:
Anonymous FTP permissions  by "Eric S. Hvozda"@netcom. 
> Hmmm, now I see 'Anonymous FTP' in the subject.  Are you sure you
> really want to do this?  Giving anyone a place to put files is
> esentailly a 'nesting place' for crackers.  This is one reason why many
> sites don't have pub/incoming dir.  People usually use mode 733 or 333
> for pub/incoming.  This way, people can drop files there, but others
> cannot 'ls' or 'dir' there.  It still doesn't solve your deletion
> problem tho.

This has other problems as well.  A group of crackers can still
make a subdirectory under the incoming directory and it will have
r/w bits set, so they can use it to share files.  A few years ago
I had some anonymous ftp users do this to my machine until they
filled up the disk (which wasn't hard to do since it was only 
120megs at the time).

I've found that the best way to do an incoming directory (if you
really need one) is to put it on its own partition, that way it
can't grow beyond a reasonable size (quotas could also be used for
this).  My theory behind this is that not too much pirated software
fits into a 1 or 2meg area, but most of the things that users will
upload to my site will (which has mostly been patches to software
that i've written).  Also, its helpful to make /etc/daily do an ls
of it so that you are sure to see new files that accumulate there.

Other ftp servers like wuftp might also handle stuff like this,
I'm not sure.   Its probably worth a look.

alex