[wplug] Anonymous FTP and hidden files (security problem?)

Albert E. Whale, CISSP aewhale at ABS-CompTech.com
Wed Sep 10 11:30:30 EDT 2003


Jonathan S. Billings wrote:

>
> On Wednesday, Sep 10, 2003, at 09:25 America/New_York, Albert E. 
> Whale, CISSP wrote:
>
>> These files are primarily intended to be used for Users with SHELL 
>> Access.  Tftp - aka Anonymous FTP, should not get Shell Access 
>> (IMHO).  Removal should not break your system, but rather improve 
>> your Security.
>
>
> I just wanted to note that 'tftp' and 'ftp' are two completetely 
> different protocols, and that 'tftp' isn't also known as anonymous ftp. 

Agreed, but in this situation, if his directory contents are all that's 
there, there is no difference.  While you do have a little configuration 
control over the anonymous ftp application, I have never seen them given 
more access than RO on most directories,  there have been an occasional 
Anonymous Write  Directory.  However, I do not see this as a Safe Practice.

>
>
> I agree with the point though, you shouldn't be able to get shell 
> access through your ftp server, so there is no reason to have the 
> standard shell rc files and other files created by adduser.
>
Agreed as well.  There is generally no need to keep the dotfiles, 
because you can always retrieve them from a Useradd process, or by 
examining the /etc/skel directory hierarchy.

HTH.

-- 
Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant
--------------------------------------------------------------------------------
http://www.abs-comptech.com & http://www.No-JunkMail.com 
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
No-JunkMail.com - SPAM Stops Here.
Founding Board of Directors of Pittsburgh FBI - InfraGard






More information about the wplug mailing list