Debian bug report logs - #1556
FTP gid = 50 ?

Package: wu-ftpd; Reported by: iwj10@cus.cam.ac.uk (Ian Jackson); Done: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>.

Message received at debian-bugs-done:


From server.et-inf.fho-emden.de!tobias Tue Oct 10 08:30:04 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t2gd1-000DdTC; Tue, 10 Oct 95 08:30 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA25183
  (5.67b/IDA-1.5 for debian-bugs-done-pipe@mongo.pixar.com); Tue, 10 Oct 1995 08:29:37 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA27026; Tue, 10 Oct 1995 16:19:38 +0100
Message-Id: <9510101519.AA27026@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk
Date: Tue, 10 Oct 1995 16:19:38 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Cc: debian-bugs-done@pixar.com
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk> from "Ian Jackson" at Oct 7, 95 02:51:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 462       

Ian Jackson wrote:
> However, I don't understand why you do this ?  Why not just list
> `staff' as `staff' in the FTP server's /etc/group ?

The next version will use "staff" instead of "ftp" in ~ftp/etc/group.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Notification sent to iwj10@cus.cam.ac.uk (Ian Jackson):
Bug acknowledged by developer. Full text available.
Reply sent to tobias@et-inf.fho-emden.de:
You have taken responsibility. Full text available.

Message received at debian-bugs:


From cus.cam.ac.uk!iwj10 Sat Oct  7 17:49:34 1995
Return-Path: <iwj10@cus.cam.ac.uk>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1bFV-000HmMC; Sat, 7 Oct 95 08:33 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA26463
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 06:53:07 -0700
Received: by bootes.cus.cam.ac.uk 
	(Smail-3.1.29.0 #36) id m0t1Zgk-000BzVC; Sat, 7 Oct 95 14:53 BST
Received: by chiark
	id <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
	(Debian /\oo/\ Smail3.1.29.1 #29.33); Sat, 7 Oct 95 14:51 BST
Message-Id: <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
Date: Sat, 7 Oct 95 14:51 BST
From: Ian Jackson <iwj10@cus.cam.ac.uk>
To: debian-bugs@pixar.com
Subject: Re: Bug#1556: FTP gid = 50 ?
In-Reply-To: <9510070939.AA13470@server.et-inf.fho-emden.de>
References: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk>
	<9510070939.AA13470@server.et-inf.fho-emden.de>

Peter Tobias writes ("Re: Bug#1556: FTP gid = 50 ?"):
> [...]
> The home directory of ftp and its subdirectories are owned by root.root.
> I'm using the group "staff" (not the number 50) because there is no need
> to use the privileged group "root". The system administrator can change
> the whole ftp tree to group "staff" to allow them to change things in
> this area.

That sounds entirely sensible.

> The ~ftp/etc/group lists the group "staff" as group "ftp".

However, I don't understand why you do this ?  Why not just list
`staff' as `staff' in the FTP server's /etc/group ?

> I don't think it is anomalous or a bug. Why should the ftp account
> not use the group "staff". It's up to the system administrator to use it
> in the ftp file area.

I think it's good that it uses group `staff'.  I don't think it's good
that it confused me enough to make me wonder if there was a problem.

This effect may well cause other people to set permissions on
directories inappropriately, or even to try to split apart the `ftp'
and `staff' groups ...

Ian.

Acknowledgement sent to Ian Jackson <iwj10@cus.cam.ac.uk>:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From cus.cam.ac.uk!iwj10 Sat Oct  7 17:43:10 1995
Return-Path: <iwj10@cus.cam.ac.uk>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1b1g-000HkwC; Sat, 7 Oct 95 08:19 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA26463
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 06:53:07 -0700
Received: by bootes.cus.cam.ac.uk 
	(Smail-3.1.29.0 #36) id m0t1Zgk-000BzVC; Sat, 7 Oct 95 14:53 BST
Received: by chiark
	id <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
	(Debian /\oo/\ Smail3.1.29.1 #29.33); Sat, 7 Oct 95 14:51 BST
Message-Id: <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
Date: Sat, 7 Oct 95 14:51 BST
From: Ian Jackson <iwj10@cus.cam.ac.uk>
To: debian-bugs@pixar.com
Subject: Re: Bug#1556: FTP gid = 50 ?
In-Reply-To: <9510070939.AA13470@server.et-inf.fho-emden.de>
References: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk>
	<9510070939.AA13470@server.et-inf.fho-emden.de>

Peter Tobias writes ("Re: Bug#1556: FTP gid = 50 ?"):
> [...]
> The home directory of ftp and its subdirectories are owned by root.root.
> I'm using the group "staff" (not the number 50) because there is no need
> to use the privileged group "root". The system administrator can change
> the whole ftp tree to group "staff" to allow them to change things in
> this area.

That sounds entirely sensible.

> The ~ftp/etc/group lists the group "staff" as group "ftp".

However, I don't understand why you do this ?  Why not just list
`staff' as `staff' in the FTP server's /etc/group ?

> I don't think it is anomalous or a bug. Why should the ftp account
> not use the group "staff". It's up to the system administrator to use it
> in the ftp file area.

I think it's good that it uses group `staff'.  I don't think it's good
that it confused me enough to make me wonder if there was a problem.

This effect may well cause other people to set permissions on
directories inappropriately, or even to try to split apart the `ftp'
and `staff' groups ...

Ian.

Acknowledgement sent to Ian Jackson <iwj10@cus.cam.ac.uk>:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 17:42:03 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1aPW-000Hd9C; Sat, 7 Oct 95 07:39 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From cus.cam.ac.uk!iwj10 Sat Oct  7 17:41:31 1995
Return-Path: <iwj10@cus.cam.ac.uk>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1amf-000HitC; Sat, 7 Oct 95 08:03 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA26463
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 06:53:07 -0700
Received: by bootes.cus.cam.ac.uk 
	(Smail-3.1.29.0 #36) id m0t1Zgk-000BzVC; Sat, 7 Oct 95 14:53 BST
Received: by chiark
	id <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
	(Debian /\oo/\ Smail3.1.29.1 #29.33); Sat, 7 Oct 95 14:51 BST
Message-Id: <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
Date: Sat, 7 Oct 95 14:51 BST
From: Ian Jackson <iwj10@cus.cam.ac.uk>
To: debian-bugs@pixar.com
Subject: Re: Bug#1556: FTP gid = 50 ?
In-Reply-To: <9510070939.AA13470@server.et-inf.fho-emden.de>
References: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk>
	<9510070939.AA13470@server.et-inf.fho-emden.de>

Peter Tobias writes ("Re: Bug#1556: FTP gid = 50 ?"):
> [...]
> The home directory of ftp and its subdirectories are owned by root.root.
> I'm using the group "staff" (not the number 50) because there is no need
> to use the privileged group "root". The system administrator can change
> the whole ftp tree to group "staff" to allow them to change things in
> this area.

That sounds entirely sensible.

> The ~ftp/etc/group lists the group "staff" as group "ftp".

However, I don't understand why you do this ?  Why not just list
`staff' as `staff' in the FTP server's /etc/group ?

> I don't think it is anomalous or a bug. Why should the ftp account
> not use the group "staff". It's up to the system administrator to use it
> in the ftp file area.

I think it's good that it uses group `staff'.  I don't think it's good
that it confused me enough to make me wonder if there was a problem.

This effect may well cause other people to set permissions on
directories inappropriately, or even to try to split apart the `ftp'
and `staff' groups ...

Ian.

Acknowledgement sent to Ian Jackson <iwj10@cus.cam.ac.uk>:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From cus.cam.ac.uk!iwj10 Sat Oct  7 17:40:58 1995
Return-Path: <iwj10@cus.cam.ac.uk>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1aGr-000HfOC; Sat, 7 Oct 95 07:30 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA26463
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 06:53:07 -0700
Received: by bootes.cus.cam.ac.uk 
	(Smail-3.1.29.0 #36) id m0t1Zgk-000BzVC; Sat, 7 Oct 95 14:53 BST
Received: by chiark
	id <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
	(Debian /\oo/\ Smail3.1.29.1 #29.33); Sat, 7 Oct 95 14:51 BST
Message-Id: <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
Date: Sat, 7 Oct 95 14:51 BST
From: Ian Jackson <iwj10@cus.cam.ac.uk>
To: debian-bugs@pixar.com
Subject: Re: Bug#1556: FTP gid = 50 ?
In-Reply-To: <9510070939.AA13470@server.et-inf.fho-emden.de>
References: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk>
	<9510070939.AA13470@server.et-inf.fho-emden.de>

Peter Tobias writes ("Re: Bug#1556: FTP gid = 50 ?"):
> [...]
> The home directory of ftp and its subdirectories are owned by root.root.
> I'm using the group "staff" (not the number 50) because there is no need
> to use the privileged group "root". The system administrator can change
> the whole ftp tree to group "staff" to allow them to change things in
> this area.

That sounds entirely sensible.

> The ~ftp/etc/group lists the group "staff" as group "ftp".

However, I don't understand why you do this ?  Why not just list
`staff' as `staff' in the FTP server's /etc/group ?

> I don't think it is anomalous or a bug. Why should the ftp account
> not use the group "staff". It's up to the system administrator to use it
> in the ftp file area.

I think it's good that it uses group `staff'.  I don't think it's good
that it confused me enough to make me wonder if there was a problem.

This effect may well cause other people to set permissions on
directories inappropriately, or even to try to split apart the `ftp'
and `staff' groups ...

Ian.

Acknowledgement sent to Ian Jackson <iwj10@cus.cam.ac.uk>:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 17:40:10 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1a9c-000HeSC; Sat, 7 Oct 95 07:23 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 23:31:39 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1ZxU-000HbGC; Sat, 7 Oct 95 07:10 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 23:21:18 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1ZPe-000HSmC; Sat, 7 Oct 95 06:35 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From cus.cam.ac.uk!iwj10 Sat Oct  7 23:17:44 1995
Return-Path: <iwj10@cus.cam.ac.uk>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1ZnM-000HZfC; Sat, 7 Oct 95 07:00 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA26463
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 06:53:07 -0700
Received: by bootes.cus.cam.ac.uk 
	(Smail-3.1.29.0 #36) id m0t1Zgk-000BzVC; Sat, 7 Oct 95 14:53 BST
Received: by chiark
	id <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
	(Debian /\oo/\ Smail3.1.29.1 #29.33); Sat, 7 Oct 95 14:51 BST
Message-Id: <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
Date: Sat, 7 Oct 95 14:51 BST
From: Ian Jackson <iwj10@cus.cam.ac.uk>
To: debian-bugs@pixar.com
Subject: Re: Bug#1556: FTP gid = 50 ?
In-Reply-To: <9510070939.AA13470@server.et-inf.fho-emden.de>
References: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk>
	<9510070939.AA13470@server.et-inf.fho-emden.de>

Peter Tobias writes ("Re: Bug#1556: FTP gid = 50 ?"):
> [...]
> The home directory of ftp and its subdirectories are owned by root.root.
> I'm using the group "staff" (not the number 50) because there is no need
> to use the privileged group "root". The system administrator can change
> the whole ftp tree to group "staff" to allow them to change things in
> this area.

That sounds entirely sensible.

> The ~ftp/etc/group lists the group "staff" as group "ftp".

However, I don't understand why you do this ?  Why not just list
`staff' as `staff' in the FTP server's /etc/group ?

> I don't think it is anomalous or a bug. Why should the ftp account
> not use the group "staff". It's up to the system administrator to use it
> in the ftp file area.

I think it's good that it uses group `staff'.  I don't think it's good
that it confused me enough to make me wonder if there was a problem.

This effect may well cause other people to set permissions on
directories inappropriately, or even to try to split apart the `ftp'
and `staff' groups ...

Ian.

Acknowledgement sent to Ian Jackson <iwj10@cus.cam.ac.uk>:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 23:13:45 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1Zi8-000HYxC; Sat, 7 Oct 95 06:54 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From cus.cam.ac.uk!iwj10 Sat Oct  7 23:13:30 1995
Return-Path: <iwj10@cus.cam.ac.uk>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1Zgz-000HZgC; Sat, 7 Oct 95 06:53 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA26463
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 06:53:07 -0700
Received: by bootes.cus.cam.ac.uk 
	(Smail-3.1.29.0 #36) id m0t1Zgk-000BzVC; Sat, 7 Oct 95 14:53 BST
Received: by chiark
	id <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
	(Debian /\oo/\ Smail3.1.29.1 #29.33); Sat, 7 Oct 95 14:51 BST
Message-Id: <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
Date: Sat, 7 Oct 95 14:51 BST
From: Ian Jackson <iwj10@cus.cam.ac.uk>
To: debian-bugs@pixar.com
Subject: Re: Bug#1556: FTP gid = 50 ?
In-Reply-To: <9510070939.AA13470@server.et-inf.fho-emden.de>
References: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk>
	<9510070939.AA13470@server.et-inf.fho-emden.de>

Peter Tobias writes ("Re: Bug#1556: FTP gid = 50 ?"):
> [...]
> The home directory of ftp and its subdirectories are owned by root.root.
> I'm using the group "staff" (not the number 50) because there is no need
> to use the privileged group "root". The system administrator can change
> the whole ftp tree to group "staff" to allow them to change things in
> this area.

That sounds entirely sensible.

> The ~ftp/etc/group lists the group "staff" as group "ftp".

However, I don't understand why you do this ?  Why not just list
`staff' as `staff' in the FTP server's /etc/group ?

> I don't think it is anomalous or a bug. Why should the ftp account
> not use the group "staff". It's up to the system administrator to use it
> in the ftp file area.

I think it's good that it uses group `staff'.  I don't think it's good
that it confused me enough to make me wonder if there was a problem.

This effect may well cause other people to set permissions on
directories inappropriately, or even to try to split apart the `ftp'
and `staff' groups ...

Ian.

Acknowledgement sent to Ian Jackson <iwj10@cus.cam.ac.uk>:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 22:51:02 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1Z8z-000HWyC; Sat, 7 Oct 95 06:18 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 22:21:25 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1YtT-000HVZC; Sat, 7 Oct 95 06:02 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 22:10:09 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1YPf-000HTWC; Sat, 7 Oct 95 05:31 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 21:58:56 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1Yf1-000HUPC; Sat, 7 Oct 95 05:47 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 21:31:38 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1YBo-000HSRC; Sat, 7 Oct 95 05:17 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 21:02:45 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1Xxa-000HRMC; Sat, 7 Oct 95 05:02 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 20:51:56 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1XU9-000HP4C; Sat, 7 Oct 95 04:32 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 20:50:52 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1XFx-000HNuC; Sat, 7 Oct 95 04:17 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 20:49:48 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1X0d-000HNeC; Sat, 7 Oct 95 04:01 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 20:49:06 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1WWI-000HLtC; Sat, 7 Oct 95 03:30 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 20:48:32 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1Wm6-000HMlC; Sat, 7 Oct 95 03:46 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 20:48:16 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1WHg-000HL2C; Sat, 7 Oct 95 03:15 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 20:47:35 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1Vrz-000HK1C; Sat, 7 Oct 95 02:48 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From cus.cam.ac.uk!iwj10 Sat Oct  7 09:35:48 1995
Return-Path: <iwj10@cus.cam.ac.uk>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1cDz-000HtkC; Sat, 7 Oct 95 09:35 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA26463
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 06:53:07 -0700
Received: by bootes.cus.cam.ac.uk 
	(Smail-3.1.29.0 #36) id m0t1Zgk-000BzVC; Sat, 7 Oct 95 14:53 BST
Received: by chiark
	id <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
	(Debian /\oo/\ Smail3.1.29.1 #29.33); Sat, 7 Oct 95 14:51 BST
Message-Id: <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
Date: Sat, 7 Oct 95 14:51 BST
From: Ian Jackson <iwj10@cus.cam.ac.uk>
To: debian-bugs@pixar.com
Subject: Re: Bug#1556: FTP gid = 50 ?
In-Reply-To: <9510070939.AA13470@server.et-inf.fho-emden.de>
References: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk>
	<9510070939.AA13470@server.et-inf.fho-emden.de>

Peter Tobias writes ("Re: Bug#1556: FTP gid = 50 ?"):
> [...]
> The home directory of ftp and its subdirectories are owned by root.root.
> I'm using the group "staff" (not the number 50) because there is no need
> to use the privileged group "root". The system administrator can change
> the whole ftp tree to group "staff" to allow them to change things in
> this area.

That sounds entirely sensible.

> The ~ftp/etc/group lists the group "staff" as group "ftp".

However, I don't understand why you do this ?  Why not just list
`staff' as `staff' in the FTP server's /etc/group ?

> I don't think it is anomalous or a bug. Why should the ftp account
> not use the group "staff". It's up to the system administrator to use it
> in the ftp file area.

I think it's good that it uses group `staff'.  I don't think it's good
that it confused me enough to make me wonder if there was a problem.

This effect may well cause other people to set permissions on
directories inappropriately, or even to try to split apart the `ftp'
and `staff' groups ...

Ian.

Acknowledgement sent to Ian Jackson <iwj10@cus.cam.ac.uk>:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 09:35:45 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1cDs-000HsJC; Sat, 7 Oct 95 09:35 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From cus.cam.ac.uk!iwj10 Sat Oct  7 17:56:34 1995
Return-Path: <iwj10@cus.cam.ac.uk>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1c2w-000HrtC; Sat, 7 Oct 95 09:24 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA26463
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 06:53:07 -0700
Received: by bootes.cus.cam.ac.uk 
	(Smail-3.1.29.0 #36) id m0t1Zgk-000BzVC; Sat, 7 Oct 95 14:53 BST
Received: by chiark
	id <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
	(Debian /\oo/\ Smail3.1.29.1 #29.33); Sat, 7 Oct 95 14:51 BST
Message-Id: <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
Date: Sat, 7 Oct 95 14:51 BST
From: Ian Jackson <iwj10@cus.cam.ac.uk>
To: debian-bugs@pixar.com
Subject: Re: Bug#1556: FTP gid = 50 ?
In-Reply-To: <9510070939.AA13470@server.et-inf.fho-emden.de>
References: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk>
	<9510070939.AA13470@server.et-inf.fho-emden.de>

Peter Tobias writes ("Re: Bug#1556: FTP gid = 50 ?"):
> [...]
> The home directory of ftp and its subdirectories are owned by root.root.
> I'm using the group "staff" (not the number 50) because there is no need
> to use the privileged group "root". The system administrator can change
> the whole ftp tree to group "staff" to allow them to change things in
> this area.

That sounds entirely sensible.

> The ~ftp/etc/group lists the group "staff" as group "ftp".

However, I don't understand why you do this ?  Why not just list
`staff' as `staff' in the FTP server's /etc/group ?

> I don't think it is anomalous or a bug. Why should the ftp account
> not use the group "staff". It's up to the system administrator to use it
> in the ftp file area.

I think it's good that it uses group `staff'.  I don't think it's good
that it confused me enough to make me wonder if there was a problem.

This effect may well cause other people to set permissions on
directories inappropriately, or even to try to split apart the `ftp'
and `staff' groups ...

Ian.

Acknowledgement sent to Ian Jackson <iwj10@cus.cam.ac.uk>:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From cus.cam.ac.uk!iwj10 Sat Oct  7 17:53:45 1995
Return-Path: <iwj10@cus.cam.ac.uk>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1bVn-000HoiC; Sat, 7 Oct 95 08:50 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA26463
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 06:53:07 -0700
Received: by bootes.cus.cam.ac.uk 
	(Smail-3.1.29.0 #36) id m0t1Zgk-000BzVC; Sat, 7 Oct 95 14:53 BST
Received: by chiark
	id <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
	(Debian /\oo/\ Smail3.1.29.1 #29.33); Sat, 7 Oct 95 14:51 BST
Message-Id: <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
Date: Sat, 7 Oct 95 14:51 BST
From: Ian Jackson <iwj10@cus.cam.ac.uk>
To: debian-bugs@pixar.com
Subject: Re: Bug#1556: FTP gid = 50 ?
In-Reply-To: <9510070939.AA13470@server.et-inf.fho-emden.de>
References: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk>
	<9510070939.AA13470@server.et-inf.fho-emden.de>

Peter Tobias writes ("Re: Bug#1556: FTP gid = 50 ?"):
> [...]
> The home directory of ftp and its subdirectories are owned by root.root.
> I'm using the group "staff" (not the number 50) because there is no need
> to use the privileged group "root". The system administrator can change
> the whole ftp tree to group "staff" to allow them to change things in
> this area.

That sounds entirely sensible.

> The ~ftp/etc/group lists the group "staff" as group "ftp".

However, I don't understand why you do this ?  Why not just list
`staff' as `staff' in the FTP server's /etc/group ?

> I don't think it is anomalous or a bug. Why should the ftp account
> not use the group "staff". It's up to the system administrator to use it
> in the ftp file area.

I think it's good that it uses group `staff'.  I don't think it's good
that it confused me enough to make me wonder if there was a problem.

This effect may well cause other people to set permissions on
directories inappropriately, or even to try to split apart the `ftp'
and `staff' groups ...

Ian.

Acknowledgement sent to Ian Jackson <iwj10@cus.cam.ac.uk>:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 17:54:28 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1bzW-000Hr8C; Sat, 7 Oct 95 09:20 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From cus.cam.ac.uk!iwj10 Sat Oct  7 17:52:36 1995
Return-Path: <iwj10@cus.cam.ac.uk>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1bmk-000HpxC; Sat, 7 Oct 95 09:07 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA26463
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 06:53:07 -0700
Received: by bootes.cus.cam.ac.uk 
	(Smail-3.1.29.0 #36) id m0t1Zgk-000BzVC; Sat, 7 Oct 95 14:53 BST
Received: by chiark
	id <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
	(Debian /\oo/\ Smail3.1.29.1 #29.33); Sat, 7 Oct 95 14:51 BST
Message-Id: <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
Date: Sat, 7 Oct 95 14:51 BST
From: Ian Jackson <iwj10@cus.cam.ac.uk>
To: debian-bugs@pixar.com
Subject: Re: Bug#1556: FTP gid = 50 ?
In-Reply-To: <9510070939.AA13470@server.et-inf.fho-emden.de>
References: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk>
	<9510070939.AA13470@server.et-inf.fho-emden.de>

Peter Tobias writes ("Re: Bug#1556: FTP gid = 50 ?"):
> [...]
> The home directory of ftp and its subdirectories are owned by root.root.
> I'm using the group "staff" (not the number 50) because there is no need
> to use the privileged group "root". The system administrator can change
> the whole ftp tree to group "staff" to allow them to change things in
> this area.

That sounds entirely sensible.

> The ~ftp/etc/group lists the group "staff" as group "ftp".

However, I don't understand why you do this ?  Why not just list
`staff' as `staff' in the FTP server's /etc/group ?

> I don't think it is anomalous or a bug. Why should the ftp account
> not use the group "staff". It's up to the system administrator to use it
> in the ftp file area.

I think it's good that it uses group `staff'.  I don't think it's good
that it confused me enough to make me wonder if there was a problem.

This effect may well cause other people to set permissions on
directories inappropriately, or even to try to split apart the `ftp'
and `staff' groups ...

Ian.

Acknowledgement sent to Ian Jackson <iwj10@cus.cam.ac.uk>:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 17:52:36 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1bMi-000HnQC; Sat, 7 Oct 95 08:40 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 17:49:15 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1bec-000Hp9C; Sat, 7 Oct 95 08:59 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 17:42:23 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1au3-000HjyC; Sat, 7 Oct 95 08:11 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 17:43:51 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1b7i-000HleC; Sat, 7 Oct 95 08:25 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From cus.cam.ac.uk!iwj10 Sat Oct  7 17:42:33 1995
Return-Path: <iwj10@cus.cam.ac.uk>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1aWZ-000HgpC; Sat, 7 Oct 95 07:46 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA26463
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 06:53:07 -0700
Received: by bootes.cus.cam.ac.uk 
	(Smail-3.1.29.0 #36) id m0t1Zgk-000BzVC; Sat, 7 Oct 95 14:53 BST
Received: by chiark
	id <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
	(Debian /\oo/\ Smail3.1.29.1 #29.33); Sat, 7 Oct 95 14:51 BST
Message-Id: <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
Date: Sat, 7 Oct 95 14:51 BST
From: Ian Jackson <iwj10@cus.cam.ac.uk>
To: debian-bugs@pixar.com
Subject: Re: Bug#1556: FTP gid = 50 ?
In-Reply-To: <9510070939.AA13470@server.et-inf.fho-emden.de>
References: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk>
	<9510070939.AA13470@server.et-inf.fho-emden.de>

Peter Tobias writes ("Re: Bug#1556: FTP gid = 50 ?"):
> [...]
> The home directory of ftp and its subdirectories are owned by root.root.
> I'm using the group "staff" (not the number 50) because there is no need
> to use the privileged group "root". The system administrator can change
> the whole ftp tree to group "staff" to allow them to change things in
> this area.

That sounds entirely sensible.

> The ~ftp/etc/group lists the group "staff" as group "ftp".

However, I don't understand why you do this ?  Why not just list
`staff' as `staff' in the FTP server's /etc/group ?

> I don't think it is anomalous or a bug. Why should the ftp account
> not use the group "staff". It's up to the system administrator to use it
> in the ftp file area.

I think it's good that it uses group `staff'.  I don't think it's good
that it confused me enough to make me wonder if there was a problem.

This effect may well cause other people to set permissions on
directories inappropriately, or even to try to split apart the `ftp'
and `staff' groups ...

Ian.

Acknowledgement sent to Ian Jackson <iwj10@cus.cam.ac.uk>:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Oct  7 17:40:34 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1adl-000Hi9C; Sat, 7 Oct 95 07:54 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA22446
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 02:48:16 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
	id AA13470; Sat, 7 Oct 1995 10:39:44 +0100
Message-Id: <9510070939.AA13470@server.et-inf.fho-emden.de>
Subject: Re: Bug#1556: FTP gid = 50 ?
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Sat, 7 Oct 1995 10:39:43 +0100 (MET)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk> from "Ian Jackson" at Oct 6, 95 07:26:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 1646      

Ian Jackson wrote:
> Package: wu-ftpd
> Version: 2.4-13
> 
> The wu-ftpd package installs a minimal /etc/group file in the anonftp
> area.  I don't remember whether it added a group with gid 50 to
> /etc/group, but it makes the ftp area owned by group 50, and lists gid
> 50 as `ftp' in the anon-FTP /etc/group.

The home directory of ftp and its subdirectories are owned by root.root.
I'm using the group "staff" (not the number 50) because there is no need
to use the privileged group "root". The system administrator can change
the whole ftp tree to group "staff" to allow them to change things in
this area. The ~ftp/etc/group lists the group "staff" as group "ftp".

computer-security/anonymous-ftp-faq:
| 1) Create the user ftp in /etc/passwd.  Use a misc group.  The user's home
| directory will be ~ftp where ~ftp is the root you wish anonymous users to
| see.  Creating this user turns on anonymous ftp.

> However, on my ~~ 0.93R5 system /etc/group contains group 50 as
> `staff', and that group owns /usr/local.

This was intentional :-).

> There doesn't appear to be a security problem, because the wu-ftpd
> doesn't ever seem (for example) to access files with gid 50, but this
> is anomalous and should be corrected.

I don't think it is anomalous or a bug. Why should the ftp account
not use the group "staff". It's up to the system administrator to use it
in the ftp file area.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany

Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From cus.cam.ac.uk!iwj10 Sat Oct  7 17:39:43 1995
Return-Path: <iwj10@cus.cam.ac.uk>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1a2E-000HbeC; Sat, 7 Oct 95 07:15 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA26463
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 7 Oct 1995 06:53:07 -0700
Received: by bootes.cus.cam.ac.uk 
	(Smail-3.1.29.0 #36) id m0t1Zgk-000BzVC; Sat, 7 Oct 95 14:53 BST
Received: by chiark
	id <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
	(Debian /\oo/\ Smail3.1.29.1 #29.33); Sat, 7 Oct 95 14:51 BST
Message-Id: <m0t1Zf4-0002aNZ@chiark.al.cl.cam.ac.uk>
Date: Sat, 7 Oct 95 14:51 BST
From: Ian Jackson <iwj10@cus.cam.ac.uk>
To: debian-bugs@pixar.com
Subject: Re: Bug#1556: FTP gid = 50 ?
In-Reply-To: <9510070939.AA13470@server.et-inf.fho-emden.de>
References: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk>
	<9510070939.AA13470@server.et-inf.fho-emden.de>

Peter Tobias writes ("Re: Bug#1556: FTP gid = 50 ?"):
> [...]
> The home directory of ftp and its subdirectories are owned by root.root.
> I'm using the group "staff" (not the number 50) because there is no need
> to use the privileged group "root". The system administrator can change
> the whole ftp tree to group "staff" to allow them to change things in
> this area.

That sounds entirely sensible.

> The ~ftp/etc/group lists the group "staff" as group "ftp".

However, I don't understand why you do this ?  Why not just list
`staff' as `staff' in the FTP server's /etc/group ?

> I don't think it is anomalous or a bug. Why should the ftp account
> not use the group "staff". It's up to the system administrator to use it
> in the ftp file area.

I think it's good that it uses group `staff'.  I don't think it's good
that it confused me enough to make me wonder if there was a problem.

This effect may well cause other people to set permissions on
directories inappropriately, or even to try to split apart the `ftp'
and `staff' groups ...

Ian.

Acknowledgement sent to Ian Jackson <iwj10@cus.cam.ac.uk>:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.

Message received at debian-bugs:


From thor.cam.ac.uk!iwj10 Fri Oct  6 11:27:00 1995
Return-Path: <iwj10@thor.cam.ac.uk>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t1HU4-000BD7C; Fri, 6 Oct 95 11:27 PDT
Received: from hammer.thor.cam.ac.uk by pixar.com with SMTP id AA04726
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Fri, 6 Oct 1995 11:26:39 -0700
Received: by hammer.thor.cam.ac.uk 
	(Smail-3.1.29.0 #77) id m0t1HTx-000JfBC; Fri, 6 Oct 95 19:26 BST
Message-Id: <m0t1HTx-000JfBC@hammer.thor.cam.ac.uk>
Date: Fri, 6 Oct 95 19:26 BST
Sender: iwj10@thor.cam.ac.uk (Ian Jackson)
From: iwj10@cus.cam.ac.uk (Ian Jackson)
To: debian-bugs@pixar.com
Subject: FTP gid = 50 ?

Package: wu-ftpd
Version: 2.4-13

The wu-ftpd package installs a minimal /etc/group file in the anonftp
area.  I don't remember whether it added a group with gid 50 to
/etc/group, but it makes the ftp area owned by group 50, and lists gid
50 as `ftp' in the anon-FTP /etc/group.

However, on my ~~ 0.93R5 system /etc/group contains group 50 as
`staff', and that group owns /usr/local.

There doesn't appear to be a security problem, because the wu-ftpd
doesn't ever seem (for example) to access files with gid 50, but this
is anomalous and should be corrected.

Ian.

Acknowledgement sent to iwj10@cus.cam.ac.uk (Ian Jackson):
New bug report received and forwarded. Full text available.
Report forwarded to debian-devel@pixar.com:
Bug#1556; Package wu-ftpd. Full text available.
Ian Jackson / iwj10@thor.cam.ac.uk, with the debian-bugs tracking mechanism
This page last modified 07:43:01 GMT Wed 01 Nov