[plug] ftpd query

Christian christian at global.net.au
Wed Jun 9 11:47:58 WST 1999 

Matt Kemner wrote:

> But the anonymous account is "another enabled account on your machine"
> where everybody in the world has the password.

Untrue.  It's a disabled account.

daisy:~# grep ftp /etc/shadow
ftp:!:10751:0:99999:7:::

> I prefer to delete the anonymous account (user "ftp") and create a
> passworded guest account instead.  The guest account has no more access to
> your system than the ftp account does.

If you use a guest account then there are a couple of differences to
using anonymous FTP.  The surface difference is of course the
requirement of providing a password to obtain access.  This may be a
good thing or it may be a bad thing, depending on how you look at it. 
If you don't care who accesses it then there's no reason to have a
password (in which case anonymous FTP is better) although if you do
somewhat limit who can access it then a passworded guest account is
obviously the appropriate solution.  Either way, the security measures
relate to the requirements of the system - neither is insecure in this
respect, they just match different requirements.

The second difference is that the Unix FTP account has no password -
it's just a disabled account with an invalid shell.  The FTP server is
configured to recognise the ftp/anonymous account as special and allow
access without a password.  My understanding of a guest account is that
there is a new Unix account with a new password (the password that the
FTP server authenticates by) which means you HAVE created a new account
on your system.  Moreover, it's an enabled account to which you're
telling more than one person the password.  Sure, no one can log into
that account via any mechanism but FTP (and then into a chrooted
environment) but that situation could easily just be temporary.  Adding
new services or seemingly unrelated changes to your system's
configuration *could* make it vulnerable since you still have an enabled
account.  It's unlikely but possible and security is about minimising
possibilities.

You say that the guest account has no more access than the ftp account
but this isn't really true.  As I pointed out above, "ftp" is a disabled
account.  Your guest account is an enabled but passworded account.  This
is the difference between the two and a disabled account *has* to be
more secure than an enabled one.

> > In general when people try and develop their own "homebrew" solution to
> > making something they need done more secure they end up opening a whole
> > host of new potential security problems.
> 
> That is very true, but the method I posted here, although complicated, was
> not at all homebrew - it is _the_ method of setting up guest accounts,
> which ftpd has supported for many years.  I just posted it here because I
> remember when I first set it up I had trouble finding the information, and
> thought someone might find it useful.

I know, I wasn't describing your technique a "homebrew" (although
wu-ftpd makes it seem like it is!).  If anything I was referring to
Denis' original plan but I was more speaking in general. :)

Regards,

Christian.

-- 
========================================================================
I'm not trying to give users what they want, I'm trying to give them
freedom, which they can then accept or reject. If people don't want
freedom, they may be out of luck with me, but I won't allow them to 
define for me what is right, what is worth spending my life for.
                                                    - Richard Stallman

More information about the plug mailing list