[293] in Release_7.7_team
should we do something or tell someone about this?
daemon@ATHENA.MIT.EDU (dryfoo@MIT.EDU)
Mon Mar 13 13:34:04 1995
From: dryfoo@MIT.EDU
To: release-team@MIT.EDU
Cc: belville@MIT.EDU, kcunning@MIT.EDU, f_l@MIT.EDU
Date: Mon, 13 Mar 1995 13:33:34 EST
} RISKS-LIST: RISKS-FORUM Digest Fri 24 February 1995 Volume 16 : Issue 84
} ----------------------------------------------------------------------
}
} Date: Wed, 22 Feb 1995 17:03:38 +1494730 (PST)
} From: Christopher Klaus <cklaus@iss.net>
} Subject: Old manuals, new features = security holes
}
} Many vendors' man pages, books, and magazine articles dealing with
} setting up an anonymous FTP server recommend something that is a
} possible security vulnerability. The security flaw is a result of old
} manual pages and new features being added to ftpd. They recommend the
} following:
}
} ~ftp)
} Make the home directory owned by ``ftp'' and unwritable
} by anyone.
}
} A new feature added to many ftpd servers is "SITE CHMOD" -- which allows
} you to change the permissions on a directory. If the main directory is
} owned by ftp, then an anonymous ftp user can SITE CHMOD the main
} directory from unwriteable to writeable. Once this has happened, they
} can add certian files to the main directory that would allow them shell
} access to the ftp account, thus to further compromise the system.
}
} Many sites keep their incoming directory un-readable so that the
} administrator has a chance to verify files before allowing others to
} grab them. An intruder could undo all these permissions and even trojan
} existing ftp files.
}
} To fix these problems, make sure the home directory is owned by root and
} that all files and directories are not owned by ftp. Unless you want
} anonymous ftp to be able to modify what is on your ftp server.
}
} For other security concerns, I have written a Anonymous Security FTP FAQ
} (Frequently Asked Questions) that is available by sending mail to
} info@iss.net with "send Index" in the subject or body of the message.
}
} Internet Security Systems, Inc. Computer Security Consulting
} 2000 Miller Court West, Norcross, GA 30071
Are we using this updated ftpd? Do we plan to? I know that at least
one of our documents (in an old or draft version perhaps) had some
instructions about setting up a workstation as an ftp server, including
the directions above that could create the vulnerability.
Have we, or somebody else official, helped users with private
workstations (like f'rinstance faculty with dept clusters) set up as ftp
servers? Do we need to propagate and explain this warning? etc.
-- Chicken Little
