[plug] ftpd query

[Denis Brown]

Dear PLUG members,

Doubtless a simple query, but would like some confirmation that my thinking
is correct.  Am especially paranoid about security.

Scenario:  I want to set up an ftp resource from which a small group of
users can periodically download files, notably virus detector programme
updated signature files.  There's one Linux (Debian slink) box and some
Wintel boxes.  Ideally, when I find out how to batch run the Wintel side
ftp client, I could implement automatic download of updated virus
signatures on bootup, but that's another story.

Looking through the man pages for ftpd on anonymous ftp leads me to believe
that I could create security holes inadvertantly.  This has made me think
that a better way would be to assign a dummy user account on the Linux box
and let every Wintel user know about that account name and its password.
For want of a better name, call the Linux dummy user "virsigs".

So after I (as root) do a useradd I get a /home/virsigs directory and some
resource files.  If I strip out the unwanted resource files, put in the
signature file(s) and make them read-only, then add a bin directory with a
symlink to ls and assign the directory and file permissions listed in the
man pages for anonymous ftp, have I done all that is necessary to:
a) prevent my Wintel users from clobbering the signature file(s)   - I
suspect the answer is "yes"
b) enable my users to see a directory of the available file(s)  - again I
suspect "yes"
c) prevent my users from seeing and accessing files in other directories?
- not sure about this one.

Alternatively, am I being too paranoid about the anonymous ftp account
mechanism?

TIA,
Denis