what to do when you've been rooted

Rick Moen rick at linuxmafia.com
Tue Jan 23 12:32:43 PST 2001


begin  E Frank Ball quotation:

> thttpd from www.acme.com shows sym-links.

That's good.  I'll have to try it.  I've only really played with Apache
and Boa.  (I assume you mean "shows" them in the sense of indicating
that they are symlinks.  Apache and Boa "show" symlinks in a fashion
indistinguishable from the files or directories they point to.)

That's the biggest thing I miss on typical httpd output compared to an
ftpd.  The others are (1) _complete_ filesizes (not rounded), which can
be crucial for telling at a glance whether the remote file differs from
your local copy, and (2) rights masks.  The owning user and group are
usually conveyed correctly by random ftpds, and special file attributes
other than symlink and directory seldom are needed in remote file
displays.

Thanks.

> How many people on this list are trying to setup machines for remote
> installs?

No idaa.  I run installfests, as do many Linux user groups, so this 
matter should be of interest to LUGs generally.  

But the point is that there is information lossage in going from httpd +
ftpd to httpd-only.  That lossage may or may not matter to particular
individuals, but just telling them "ftp is obsolete" is doing them no
favour.  

The best argument against httpd + ftpd is the security one -- but I have
not found that compelling after trying the smaller, faster,
better-designed, not-overfeatured variety of ftpd typified by oftpd,
Ranum's aftpd, Trollftpd, and pftpd.

> The average joe seems to think that stuff shipped with
> redhat/suse/turbo is secure and this just isn't the case.  I wan't to
> point out as many alternatives to running a ftp deamon as I can.  

The average Joe seems to have a difficult time understanding why Proftpd
isn't a significant improvement over wu-ftpd, because its design is
inherently complex (which is A Bad Thing from the security perspective),
and because he's still going to be sending plaintext passwords across
the open Internet.

> For the less sophisicated user running ftp is best avoided.

I would say:  Run a _suitable_ ftpd if you need an ftpd.  (These wu-ftp
versus Proftpd discussions are rather clue-deficient.)

-- 
Cheers,                                      "Reality is not optional."
Rick Moen                                             -- Thomas Sowell
rick at linuxmafia.com



More information about the talk mailing list