BSD/OS 3.0 comes without any anonymous ftp set up out-of-the-box.
Configuration of anonymous ftp is provided by the perl script
/usr/sbin/config_anonftp (for those who don't just set this up by hand).
A problem seems to exist in the following lines of this script:
©_file("/etc", "group", "$ftp{\"DIR\"}/etc", 0444);
©_file("/etc", "pwd.db", "$ftp{\"DIR\"}/etc", 0444);
What ever happened to creating dummy group and passwd files for anonymous
ftp? This script copies the full system group and pwd.db files where
anyone can get them. While pwd.db contains no password information (as
does spwd.db), it makes it trivial to gather a full list of users and the
info found in the other fields of the passwd file. I do realize that if
config_anonftp is run before any system accounts are setup, pwd.db and
group would not contain any unique system information.
Wouldn't it be safer if config_anonftp constructed dummy group and pwd.db
files? The -d option to pwd_mkdb seems ideal for this purpose. Again, if
any of this information is known, I apologize.
Sincerely,
trey
<trey@analog.org>
The Analog Organization