Subject: Re: Securing Anonymous FTP Uploads
To: Curt Sampson <cjs@portal.ca>
From: Assar Westerlund <assar@sics.se>
List: tech-security
Date: 03/29/1997 07:34:48
Curt Sampson <cjs@portal.ca> writes:
> > > * Disables the umask, chmod, delete and rmdir commands for anonymous
> > >   users.
> > 
> > Yes, and mkdir should not be disabled. It makes it a lot easier if
> > R. Luser can put his gazillion different files in one directory.
> 
> Not much point to this, since with a umask of 707 or 777, he won't
> be able to put anything into that directory, or even cd to it.

An explicit chmod is done after the mkdir for anonymous users.

> > Furthermore, anonymous users has restrictions on the filenames they
> > may create.
> 
> I have no wish to put this in at all. Since the files can't be
> downloaded anyway, there's not much point in adding code like this.

It makes the mess you have to clean-up after warez-uploader somewhat
nicer and I don't see any reason that they have to be able to create
any filenames they like.

/assar