Marcus Cole wrote:
> Kenneth,
>
> Thanks for your responding. Unfortunately, I'm not in the office to fix
> my permissions, so I will have to wait to see if it works. My only
> concern with the x permission was that it might allow someone to execute
> a file that they ftp'd to one of the directories and the potential
> security compromise this entails. Should I worry about this, or is that
> just an inherent risk of anonymous ftp access.
>
> Thanks again,
>
> Marcus
>
> >Marcus,
> >
> > The problem lies in your understanding of Unix (and therefore,
> >Linux) file permissions. When applied to a file which is a directory,
> the
> >'x' permission actually means 'search'. Thus for all subdirectories in
> >'pub', you have read permission, but do not have 'search' permission.
> >
> > What does this imply? What 'search' means is that if you have read
> >access to the directory, you may read its contents, however, you cannot
> >read the inodes of the files listed in the directory. 'ls <filename>'
> >produces its output from the contents of the parent directory, but 'ls
> ><filename>' has to read the inode of <filename> to produce its output.
Marcus,
I am not an expert on the possible security holes that can exist due to
anonymous ftp. I hope there is someone on the list who can tell us more. But
my understanding is that there is no way to execute via the ftp server, on
the server, a file which has been put there (by anonymous or normal ftp). The
only way you could execute a file would be through rexec or by telnetting in
- both of which require a non-anonymous id. An anonymous ftp id has always
been identified as a security problem, which is why ftp servers (for example
- the MVS & OS/390 ftp servers) which enable execute priviledges do not allow
anonymous ids.
Securing your system for telnet and / or rexec is a whole different
ball-game. A starting point would be Security-HOWTO which is available on the
Linux Documentation Project site ( http://sunsite.unc.edu/mdw.ldp.html ) or
(if you have a recently release distribution) on your system in
/usr/doc/HOWTO.
Regards,
Kenneth
--
There is no such thing as luck. 'Luck' is nothing but an absence of bad luck.
