I'm setting up an ftpd server for anonymous uploads.  I've set up the 
standard ftpd.conf to implement the appropriate restrictions, and they 
seem to work.  However, I don't entirely trust ftpd -- there's far too 
much code that can be executed in reading and processing the config 
file -- so I've got the thing nicely confined in a chroot jail; I've 
also used 'chflags' to make almost everything immutable.  (Well, that 
doesn't quite work yet, since I haven't built a proper kernel yet -- 
but I don't need X, so that's easy to take care of.)

The problem is the 'incoming' directory.  My concern is that *if* someone
finds a flaw in ftpd (say, a buffer overflow), they could do a mknod in 
the upload directory and use that to escape the chroot.  The question is
what can I do to prevent that.  I've toyed with adding a 'no special 
files' flag to the kernel; I've also checked to see if there's some 
mount option akin to nocoredump, but I don't see any.

Other suggestions?  (I'm checking out vsftpd, but apart from the fact 
that I don't know the codebase, I'd *still* like extra protection -- 
history shows that more or anything can have buffer overflows.)

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com