httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Sutherland <ja...@cam.ac.uk>
Subject Re: locus.apache.org hacked by white hats; FTP down for good, bugzilla down until audited.
Date Thu, 04 May 2000 12:26:32 GMT
On Thu, 4 May 2000, Brian Behlendorf wrote:
> On Thu, 4 May 2000, James Sutherland wrote:
(snip)
> > > HTTP clients that there is no point to having it up, save for mirroring,
> > > and we allow rsync and cvsup for that.  I will be contacting the mirror
> > > site admins list to communicate this.
> > 
> > That may be overkill; simply replacing it with a read-only "integrated"
> > ftpd should do the trick? (i.e. no way to exec() anything, no way to
> > change content, minimal opportunity for buffer overflow exploits)
> 
> It's another daemon to have to worry about the security of, against buffer
> overflow attacks, misconfiguration, and the like.  There's only one ftp
> daemon I'd categorically trust, and that's DJB's "publicfile", but DJB
> decided to use a different format for rendering directory listings that
> make it largely unusable for browsing.
> 
> At this point, in my opinion, it's like asking why we don't support
> gopher.

I suppose so; there is a certain irony in an HTTP server being distributed
over another protocol...

While I have used FTP for installations on relatively dedicated servers
(i.e. no Lynx, etc.) presumably the mirror sites will continue supporting
FTP; I doubt SunSITE etc. will be removing it soon!


James.


Mime
View raw message