The default umask for wu-ftpd 2.4.2-beta-13 is 002.
Since most users on most sites are in the same group, all files created by
users PUTting files would be group writeable by anyone.  Not a good thing.

The offending code is in "ftpd.c" line 259:
#if !defined(CMASK) || CMASK == 0
#undef CMASK
#define CMASK 002
#endif

Changing CMASK 002 to CMASK 022 will fix this.


===========================================================================


If you aren't easily able to recompile your wu-ftpd, but you are able to
edit its entry in inetd.conf, invoking it with the switch "-u022" will
also let you set the default umask to 022 (you can even use "-u077", if
you're feeling paranoid or fascist).


===========================================================================



This is from the Solaris 2.x FAQ:
http://www.wins.uva.nl/pub/solaris/solaris2/

3.48) How can I prevent daemons from creating mode 666 files?

By default, all daemons inherit the umask 0 from init. This is most
problematic for a service like ftp, which in a standard configuration
leaves all uploaded files with mode 666.

To get daemons to use another umask execute the following commands in
/bin/sh and reboot:

umask 022  # make sure umask.sh gets created with the proper mode
echo "umask 022" > /etc/init.d/umask.sh
for d in /etc/rc?.d
do
        ln /etc/init.d/umask.sh $d/S00umask.sh
done


Note: the trailing ".sh" of the scriptname is important, if you don't
specify it, the script will will be executed in a sub-shell, not in the
main shell that executes all other scripts.



===========================================================================



There is a potentially serious bug in ftpd.c in wu-ftpd beta 13.  I have
no idea if it exists in previous betas.  I don't think this was a problem
in beta 11, but I've not kept any older source.  If you are not running
beta 13, check this against your source.

During anonymous login, the /./ is not clipped off the struct passwd
pw->pw_dir field that is saved as the chroot directory in ftpd.c.

Because the /./ is still on the end of the pw->pw_dir field, upl_check()
'upload' directive processing will fail in extensions.c because the file
name paths will not compare.  It is highly unlikely that the upload
directive root path would also have the /./ on the end.

If upload directive processing fails for the anonymous user, sites that
depend on upload directives to properly set incoming file permissions
could find their site security compromised.

For example, it is fairly common to set incoming files to not be readable
to the anonymous user; this prevents files from being traded through an
anonymous site without the permission of the owner.  With this bug, all
uploaded files are owned by the anonymous user, with default permissions
set by CMASK.

Here is a patch for wu-ftpd beta 13:

--- ftpd.c.orig Thu Jun 19 22:59:21 1997
+++ ftpd.c      Thu Jun 19 23:01:26 1997
@@ -1560,12 +1560,7 @@
             pw->pw_dir = sgetsave(virtual_root);
         }
 #endif
-        if (anonymous) {
-            if (chroot(pw->pw_dir) < 0 || chdir("/") < 0) {
-                reply(550, "Can't set guest privileges.");
-                goto bad;
-            }
-        } else if (guest) {
+        if (anonymous || guest) {
             char *sp;

             /* determine root and home directory */




===========================================================================