httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <gst...@lyra.org>
Subject Re: locus.apache.org hacked by white hats; FTP down for good, bugzilla down until audited.
Date Thu, 04 May 2000 08:14:35 GMT
On Thu, 4 May 2000, Brian Behlendorf wrote:
> On Thu, 4 May 2000, James Sutherland wrote:
>...
> > > HTTP clients that there is no point to having it up, save for mirroring,
> > > and we allow rsync and cvsup for that.  I will be contacting the mirror
> > > site admins list to communicate this.
> > 
> > That may be overkill; simply replacing it with a read-only "integrated"
> > ftpd should do the trick? (i.e. no way to exec() anything, no way to
> > change content, minimal opportunity for buffer overflow exploits)
> 
> It's another daemon to have to worry about the security of, against buffer
> overflow attacks, misconfiguration, and the like.  There's only one ftp
> daemon I'd categorically trust, and that's DJB's "publicfile", but DJB
> decided to use a different format for rendering directory listings that
> make it largely unusable for browsing.
> 
> At this point, in my opinion, it's like asking why we don't support
> gopher.

Exactly. FTP for read-only provides nothing over HTTP. In fact, I can
argue that FTP/read-only is *worse* than HTTP.

IMO, nuke FTP and export files via HTTP only.

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/


Mime
View raw message