> > * Sets the default umask for anonymous users to 707, thus clearing
 > >   out all but group read/write/execute access on uploaded files.
 > 
 > I feel uncomfortable depending on the group stuff to protect
 > permissioning. I'd very strongly prefer 777. 

In my opinion the best possible scheme would be an upload directory
owned by the maintainer account, world-writeable, and sticky. Then you
arrange to have uploads chowned to the maintainer (and chmod'd to 644
or 600.) There are a number of relatively safe ways of accomplishing
the chown; unfortunately none of them are particularly easy.

I don't think it's a particularly good idea to have the upload
directory owned by ftp, even if ftpd disallows dangerous commands;
it's easy to forget to disable something, and if not that, then some
bug or clever trick is bound to come up that permits ftpd to perform
some of these operations after all.

Fundamentally though, ftpd itself should support various upload
directory management techniques and not hardwire any particular setup.

 > If it becomes a management headache, the people running the ftp
 > account can always build a cron job that moves incoming files into
 > an examination area and changes the protection to something
 > reasonable.

Any automated script that touches an upload area has to be very
careful about people uploading "interesting" filenames. Best to
include the script with ftpd to discourage people from writing their
own probably leaky ones.

 > > * Disables the umask, chmod, delete and rmdir commands for anonymous
 > >   users.
 > 
 > Very good, but you should also prohibit directory creation as well.

Yes, but as a config option.

-- 
   - David A. Holland             |    VINO project home page:
     dholland@eecs.harvard.edu    | http://www.eecs.harvard.edu/vino