BSD/OS 3.0 config_anonftp script

• Previous message: Bob Tracy - TDS: "Re: LinCity Buffer Overflow"
• Next in thread: Bill Becker: "Re: BSD/OS 3.0 config_anonftp script"
• Reply: Bill Becker: "Re: BSD/OS 3.0 config_anonftp script"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This being my first post, please excuse me if this information is already
known.

BSD/OS 3.0 comes without any anonymous ftp set up out-of-the-box.
Configuration of anonymous ftp is provided by the perl script
/usr/sbin/config_anonftp (for those who don't just set this up by hand).
A problem seems to exist in the following lines of this script:

&copy_file("/etc", "group", "$ftp{\"DIR\"}/etc", 0444);
&copy_file("/etc", "pwd.db", "$ftp{\"DIR\"}/etc", 0444);

What ever happened to creating dummy group and passwd files for anonymous
ftp?  This script copies the full system group and pwd.db files where
anyone can get them.  While pwd.db contains no password information (as
does spwd.db), it makes it trivial to gather a full list of users and the
info found in the other fields of the passwd file.  I do realize that if
config_anonftp is run before any system accounts are setup, pwd.db and
group would not contain any unique system information.

Wouldn't it be safer if config_anonftp constructed dummy group and pwd.db
files?  The -d option to pwd_mkdb seems ideal for this purpose.  Again, if
any of this information is known, I apologize.

Sincerely,

trey
<treyat_private>
The Analog Organization

• Next message: Alexandre Stervinou: "Bash: Security problem during compilation time."
• Previous message: Bob Tracy - TDS: "Re: LinCity Buffer Overflow"
• Next in thread: Bill Becker: "Re: BSD/OS 3.0 config_anonftp script"
• Reply: Bill Becker: "Re: BSD/OS 3.0 config_anonftp script"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:45:52 PDT