[wplug] Anonymous FTP and hidden files (security problem?)
Albert E. Whale, CISSP
aewhale at ABS-CompTech.com
Wed Sep 10 11:30:30 EDT 2003
Jonathan S. Billings wrote:
>
> On Wednesday, Sep 10, 2003, at 09:25 America/New_York, Albert E.
> Whale, CISSP wrote:
>
>> These files are primarily intended to be used for Users with SHELL
>> Access. Tftp - aka Anonymous FTP, should not get Shell Access
>> (IMHO). Removal should not break your system, but rather improve
>> your Security.
>
>
> I just wanted to note that 'tftp' and 'ftp' are two completetely
> different protocols, and that 'tftp' isn't also known as anonymous ftp.
Agreed, but in this situation, if his directory contents are all that's
there, there is no difference. While you do have a little configuration
control over the anonymous ftp application, I have never seen them given
more access than RO on most directories, there have been an occasional
Anonymous Write Directory. However, I do not see this as a Safe Practice.
>
>
> I agree with the point though, you shouldn't be able to get shell
> access through your ftp server, so there is no reason to have the
> standard shell rc files and other files created by adduser.
>
Agreed as well. There is generally no need to keep the dotfiles,
because you can always retrieve them from a Useradd process, or by
examining the /etc/skel directory hierarchy.
HTH.
--
Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant
--------------------------------------------------------------------------------
http://www.abs-comptech.com & http://www.No-JunkMail.com
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
No-JunkMail.com - SPAM Stops Here.
Founding Board of Directors of Pittsburgh FBI - InfraGard
More information about the wplug
mailing list