> Here is some advise from Sun that I highly recommend you DO NOT DO. > > If you look at the MAN page for ftpd, you will see the following > advise: > > the following rules are recommended. > ~ftp) > Make the home directory owned by ``ftp'' and unwritable > by anyone. > > I highly recommend you change that to owned by ``root''. If anyone can lo > g > in as ftp, there is nothing to stop them from doing SITE CHMOD 777 to the > main directory and putting .rhosts or .forward there allowing instant > access. > > Of course, Sun's ftpd doesn't support chmod. Not that that excuses their > advice, but it's not *quite* as bad... (I'm talking about 4.1.x, for some > values of x.) > I thought it should be brought to attention because a few people were asking why I suggested ~ftp to be owned by someone other than ftp, which they said was clearly stated by the MAN pages to be owned by ftp. Not only that, many big ftp sites I have seen ~ftp owned by ftp had the SITE CHMOD command implemented as well. Either way, I just thought it might be good to raise the awareness level of setting up a secure anonymous ftp site. Chris -- Christopher William Klaus <cklaus@shadow.net> <iss@shadow.net> Internet Security Systems, Inc. Computer Security Consulting 2209 Summit Place Drive, Penetration Analysis of Networks Atlanta,GA 30350-2430. (404)998-5871.