Subject: Re: ftpd upload behavior
To: Bill Sommerfeld <firstname.lastname@example.org>
From: Luke Mewburn <email@example.com>
Date: 01/22/2001 09:50:46
On Sun, Jan 21, 2001 at 11:44:01AM -0500, Bill Sommerfeld wrote:
> Both policies (allow anonymous MKD and disallow anonymous MKD) are
> "reasonable", assuming that permissions on the anonymously-created
> directory are appropriate (allowing upload of files, but not download
> or reading of file names).
> How about adding a new ftpd.conf command:
> mkdir <class> [OFF]
> if <class> is "none" or OFF is given, disable the MKD command;
> otherwise enable them for the specified class. If both this
> directive and "upload" are present, this takes precedence.
I had considered something like that, but I figured that if we're
going to start doing that, a more generic method of controlling
whether or not a command is enabled is probably more scalable.
command <class> <command> [OFF]
if <class> is "none" or OFF is given, disable the given
<command>; otherwise enable it for the specified class.
This may override the behaviour of a prior `modify',
`upload', or `command' directive.
>  The paranoid should worry about anklebiters encoding war3z into a
> series of filenames. The extremely paranoid will worry about "covert
> channels" like giving any indication that a file in the incoming
> directory already exists.
With the default umask of 0707, and the suggestion in ftpd(8) of
making the permissions on ~ftp/incoming 0370, then it effectively
makes this attack pointless, because guests can't see the filenames.
Luke Mewburn <firstname.lastname@example.org> http://www.wasabisystems.com
Luke Mewburn <email@example.com> http://www.netbsd.org
Wasabi Systems - providing NetBSD sales, support and service.