Applying restrictions to anonymous ftp-ers

Michael Regoli mr at ogre.cica.indiana.edu
Wed May 8 00:34:39 AEST 1991


In <1991May6.190230.10494 at cica.indiana.edu> mr at cica.indiana.edu
(Michael Regoli) writes: 

>][

>When logging into many hosts allowing anonymous ftp access, the
>message "Guest login ok, access restrictions apply" appears upon a
>successful login.  However, it remains to be seen what restrictions
>are in effect.  For example, in a public uploads area (owned by ftp,
>mode 777), ftp users can "put" and "get" files, in addition to "dele"
>and "append" to files.  It is the latter cases that oftentimes
>destroys data in a public area.

>What measures can be applied via BSD ftpd to restrict access to
>certain ftp commands?  

Thanks to everyone for contacting me.  Here's a temporary solution
that seems to work:

For obvious reasons, I need the directory for "uploads" to be mode
777 so ftp-er's can place files anytime.

What works is to chown the uploads directory to "root" and add the
sticky bit to mode 777 on the directory.  In order to protect the
files from being "stomped," chown the files to anything other than
root or ftp. (Since ftpd does a chroot, without the sticky bit set, it
will delete ANY file, with ANY ownership, that is placed in a
directory that is mode 777.)

Of course, files that are placed prior to a "chown" are owned by ftp
and therefore can be destroyed by anonymous ftp-ers.  Not much we can
do about it.  (Well, of course, we could have cron visit the directory
on a regular basis to chown the files, but we don't get *that* far
behind in moving files out of the public uploads area.)

Anyhow, this entire exercise has been useful in learning the nuances
of Unix file permissions and ftp/ftpd.

My thanks again to everyone.

--
michael regoli
mr at cica.indiana.edu 
regoli at iubacs.bitnet
...rutgers!iuvax!cica!mr

--

michael regoli
mr at cica.indiana.edu
regoli at iubacs.BITNET
..rutgers!iuvax!cica!mr



More information about the Comp.unix.questions mailing list