[322] in linux-security and linux-alert archive
Re: wu-ftp - visible passwords.
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Tue Aug 15 05:19:37 1995
From: okir@monad.swb.de (Olaf Kirch)
To: jsdy@cais.cais.com (Joseph S. D. Yao)
Date: Mon, 14 Aug 1995 22:45:53 +0200 (MET DST)
Cc: dtscott@scott.net, linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199508141501.LAA16468@cais2.cais.com> from "Joseph S. D. Yao" at Aug 14, 95 11:01:52 am
Joe Yao wrote:
>
> > [mod: I don't see this as a real problem, but it maight interest
> > some of you nevertheless. Followups to Derric, please. --okir]
>
> I'm afraid that I must disagree with your evaluation.
Point taken. I should have been more specific on this. The reason why I
believe this is not one of those wu-ftp bugs is that this happens only
when the user logs in anonymously. Below's the ps output for an anon
session, and a user session:
16511 con S 0:00 -monad.swb.de: anonymous/okir@monad.swb.de: IDLE
16514 con S 0:00 -monad.swb.de: okir: IDLE
I admit that I have been a bit too rash in dismissing the problems a user
mistake may cause.
If you feel you should protect your users from shooting themselves in the
foot, you can either disable this feature altogether by undefining
SETPROCTITLE in config.h, or by applying the tiny patch below. It simply
adds a little plausibitlity check by making sure there's an at sign in
the password before putting it in argv.
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
------------------------------------------------------------------
--- ftpd.c.orig Mon Aug 14 22:28:18 1995
+++ ftpd.c Mon Aug 14 22:41:11 1995
@@ -1197,7 +1197,8 @@
#ifdef SETPROCTITLE
sprintf(proctitle, "%s: anonymous/%.*s", remotehost,
sizeof(proctitle) - sizeof(remotehost) -
- sizeof(": anonymous/"), passwd);
+ sizeof(": anonymous/"),
+ strchr(passwd, '@')? passwd : "<bad password>");
setproctitle("%s", proctitle);
#endif /* SETPROCTITLE */
if (logging)
------------------------------------------------------------------
