Subject: Re: ftpd upload behavior
To: Rumi Szabolcs <>
From: Bill Sommerfeld <>
List: tech-userlevel
Date: 01/21/2001 11:44:01
Both policies (allow anonymous MKD and disallow anonymous MKD) are
"reasonable", assuming that permissions on the anonymously-created
directory are appropriate (allowing upload of files, but not download
or reading of file names[1]).

How about adding a new ftpd.conf command:

mkdir <class> [OFF]

	if <class> is "none" or OFF is given, disable the MKD command;
	otherwise enable them for the specified class.  If both this
	directive and "upload" are present, this takes precedence.

					- Bill

[1] The paranoid should worry about anklebiters encoding war3z into a
series of filenames.  The extremely paranoid will worry about "covert
channels" like giving any indication that a file in the incoming
directory already exists.