[263] in linux-security and linux-alert archive
wu-ftpd and /proc again
daemon@ATHENA.MIT.EDU (Marek Michalkiewicz)
Wed Jun 14 19:47:30 1995
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
To: linux-security@tarsier.cv.nrao.edu
Date: Wed, 14 Jun 1995 21:58:52 +0200 (MET DST)
Hi,
so far I received mail from two people who confirm the wu-ftpd+shadow+/proc
security hole, so that's not just me. This is a more general problem with
/proc (not only with wu-ftpd) - interesting things under /proc/pid are owned
by the euid (== the user logged in via ftp) of the process. My previous fix
is not enough - one can still read /proc/pid/mem, and write to other files
kept open by ftpd (like wtmp or xferlog). I reported this to Linus so it
will hopefully be fixed soon. The proc(5) man page says (in the "BUGS"
section): "The /proc file system totally destroys the security of your
system. This needs fixing before 1.2" - hopefully we can fix it before
1,2,12 or so,,, The current kernel is 1.2.10 and it is still vulnerable.
A quick fix is to create a new group "proc", add the following commands
to your startup files after mounting /proc:
chmod 550 /proc
chown root.proc /proc
Now make all commands which need /proc (ps, top, w, ...) setgid proc,
and reboot. This seems to work, but is really only a temporary fix.
Regards,
Marek Michalkiewicz
