Re: Good, secure FTP daemons that don't need real user accounts

From: Kee Hinckley (nazgul@somewhere.com)
Date: 08/04/01


Message-Id: <p05100304b7912ea593d5@[192.168.1.104]>
Date: Sat, 4 Aug 2001 00:49:55 -0400
To: Seth Arnold <sarnold@wirex.com>
From: Kee Hinckley <nazgul@somewhere.com>
Subject: Re: Good, secure FTP daemons that don't need real user accounts


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 4:11 PM -0700 8/2/01, Seth Arnold wrote:
> > So as a further step to avoid such a fiasco, we want to avoid giving
>> these people entries in /etc/passwd.
>
>So, then, these users' files aren't separated from each other? All the
>client files get thrown into one 'client' user? Hmm. I know I would
>avoid such a hosting solution like the plague -- people try to
>re-implement the OS checks, but usually fail. Why not let the OS do what
>it does? :)

I highly recommend ncftpd. Available in a free, three
simultaneous-use license, commercial thereafter. Fast, very secure,
lots of useful options, but easy to configure, so you don't leave
yourself wondering if you left some gaping hole open (wuftpd is
horrible for stuff like that). And it gives the option of not using
/etc/passwd. IN answer to the question of why not let the OS do
it--because when the OS does it, it grants full access to the OS with
all the potential privileges of a full OS user. When the ftp program
handles it, you haven't opened up tends, hundreds or thousands of
potentially abuseable accounts.
- --

Kee Hinckley - Somewhere.Com, LLC
http://consulting.somewhere.com/

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3

iQA/AwUBO2t/9SZsPfdw+r2CEQJr9ACg8xk18URwuQfG+8YQK4Y3i5CHETEAn2Ha
e7Qk6p9G3lO8zt73Uo6Zl1J7
=WX7D
-----END PGP SIGNATURE-----