publicfile

User's guide
File types

Notes on performance

What is it?

Security features:

• Before accepting any commands, publicfile chroot()s to the public file area and sheds root privileges.
• publicfile doesn't let users log in. Intruders can't use publicfile to check your usernames and passwords.
• publicfile refuses to supply files that are unreadable to owner, unreadable to group, or unreadable to world.
• publicfile never attempts to modify the public file area. It refuses all HTTP and FTP modification commands.
• publicfile never runs any other programs. It does not support HTTP CGI or FTP SITE EXEC.
• publicfile avoids bug-prone libraries such as stdio.
• The publicfile FTP server uses local ports above 1024 for PORT connections.
• The publicfile FTP server prohibits remote ports below 1024 for PORT.
• The publicfile FTP server prohibits PORT relaying.
• The publicfile FTP server includes automatic PASV IP protection.

HTTP features:

• publicfile supports virtual hosts through the Host field.
• publicfile supports virtual hosts through absolute URLs.
• publicfile supports HTTP/1.1 persistent connections.
• publicfile supports HTTP/1.1 chunked responses.
• publicfile supports user-controlled content types.
• publicfile supports exact-prefix If-Modified-Since.

FTP features:

• publicfile has built-in LIST and NLST commands. You don't have to bother setting up bin/ls, shared libraries, et al. inside the public file area.
• publicfile provides EPLF LIST responses, including options "i", "s", and "m".
• publicfile supports restarted transfers.
• publicfile supports pipelining.

Other HTTP servers and FTP servers

Similar comments apply to wu-ftpd, the most widely installed FTP server on the Internet. wu-ftpd has had several bugs that allowed remote users to take over the entire machine: one fixed in version 2.0 (1993-04), one fixed in version 2.4 (1994-04), one fixed in version 2.4.2-beta18-VR10 (1998-11), one fixed in version 2.6.0 (1999-10), one fixed in version 2.6.1 (2000-07), and one fixed in version 2.6.2 (2001-11).

ProFTPD has had several bugs that allowed remote users to take over the entire machine: one fixed in version 1.2.0pre2 (1999-02), one fixed in version 1.2.0pre4 (1999-09), one fixed in version 1.2.0pre5 (1999-09), one fixed in version 1.2.0pre6 (1999-09), one fixed in version 1.2.0pre8 (1999-10), and one fixed in version 1.2.0rc1 (2000-07). As of 2000-07, ProFTPD continues to be advertised as a ``secure'' FTP server.

Many versions of the BSD ftpd, including the HP-UX 10 ftpd and the ``audited'' OpenBSD 2.7 ftpd, have had a bug allowing remote users to take over the entire machine.

Some versions of fhttpd allowed remote users to take over the entire machine. ``I don't think bugs of this kind are left in it,'' the author says. How much is he willing to bet?

I found security holes in thttpd, fixed in version 2.05 (1999-11), allowing remote users to take over the web server under typical configurations. I've heard that there were also security holes fixed in version 2.04 (1998-08); I don't know how severe they were. As of 1999-11, thttpd continues to be advertised as a ``secure'' HTTP server. It ``goes to great lengths to protect the web server machine against attacks and breakins from other sites,'' the author says.

On the bright side, I haven't heard about any security holes in aftpd or mathopd.

For more information on HTTP server security (and browser security), see Lincoln D. Stein's WWW Security FAQ.

Hey, what about Windows?