On Sun, Jan 21, 2001 at 11:44:01AM -0500, Bill Sommerfeld wrote:
> Both policies (allow anonymous MKD and disallow anonymous MKD) are
> "reasonable", assuming that permissions on the anonymously-created
> directory are appropriate (allowing upload of files, but not download
> or reading of file names[1]).
> 
> How about adding a new ftpd.conf command:
> 
> mkdir <class> [OFF]
> 
> 	if <class> is "none" or OFF is given, disable the MKD command;
> 	otherwise enable them for the specified class.  If both this
> 	directive and "upload" are present, this takes precedence.

I had considered something like that, but I figured that if we're
going to start doing that, a more generic method of controlling
whether or not a command is enabled is probably more scalable.

Something like:
	command <class> <command> [OFF]

		if <class> is "none" or OFF is given, disable the given
		<command>; otherwise enable it for the specified class.
		This may override the behaviour of a prior `modify',
		`upload', or `command' directive.


> [1] The paranoid should worry about anklebiters encoding war3z into a
> series of filenames.  The extremely paranoid will worry about "covert
> channels" like giving any indication that a file in the incoming
> directory already exists.

With the default umask of 0707, and the suggestion in ftpd(8) of
making the permissions on ~ftp/incoming 0370, then it effectively
makes this attack pointless, because guests can't see the filenames.

-- 
Luke Mewburn  <lukem@wasabisystems.com>  http://www.wasabisystems.com
Luke Mewburn     <lukem@netbsd.org>      http://www.netbsd.org
Wasabi Systems - providing NetBSD sales, support and service.