[360] in RedHat Linux List
Re: possibly serious security hole in colgate -- anonftp
daemon@ATHENA.MIT.EDU (Elliot Lee)
Tue Oct 22 09:38:41 1996
Date: Tue, 22 Oct 1996 09:33:53 -0400 (EDT)
From: Elliot Lee <sopwith@cuc.edu>
Reply-To: Elliot Lee <sopwith@cuc.edu>
To: redhat-list@redhat.com
In-Reply-To: <Pine.LNX.3.95.961021234744.3235A-100000@karpes.stu.rpi.edu>
Resent-From: redhat-list@redhat.com
On Mon, 21 Oct 1996, Simon Karpen wrote:
> On a clean install of RedHat 4.0 (I had 3.0.3, but chose to mkfs the
> partiton anyway, as I prefer a clean install), there is a serious security
> hole in anonftp that I have managed to exploit on my own machine.
>
> The directory /home/ftp is writable by the user ftp, which allows a user
> at any site to obtain a copy of any world readable file on the machine,
> including /etc/passwd (only significant if you are not using shadow),
> among others.
Unless you have a specific exploit script you'd care to share, I'd guess
that this is not true. Anonymous users are chrooted into /home/ftp, so
that /home/ftp becomes the new /, and they can't do things like make
symlinks or anything. And /home/ftp/etc/passwd doesn't (or rather,
shouldn't) have any real password entries - by default it is just a
skeleton one to.
> The shared libraries in ~ftp/lib are also writable by the user ftp. This
> allows for serious security problmes, as these shared libraries could be
> overwritten with "intersting" stuff.
>
> It is also questionable whether the files in this directory should even be
> owned by root.root or ftp.ftp.
For anonymous users (at least) wu-ftpd doesn't go by directory permissions
alone for determining whether a person is allowed to upload files or not.
'man 5 ftpaccess' will get you all the details.
I just installed the anonftp package that comes with 4.0, here's my ls
-lR:
/home/ftp# ls -lR
total 5
drwxr-xr-x 2 root bin 512 Aug 16 1995 bin
drwxr-xr-x 2 root bin 512 Aug 16 1995 dev
drwxr-xr-x 2 root bin 512 Aug 16 1995 etc
drwxr-sr-x 4 111 wheel 512 Apr 20 1996 pub
drwxr-xr-x 3 root bin 512 Aug 16 1995 usr
bin:
total 14
-rwxr-xr-x 1 root bin 13336 Aug 16 1995 ls
dev:
total 0
etc:
total 2
-r--r--r-- 1 root bin 246 Aug 16 1995 group
-r--r--r-- 1 root bin 147 Aug 16 1995 passwd
pub:
total 4027
-rw-r--r-- 1 111 wheel 272808 Feb 11 1996 Fetch_2.1.2
-rw-r--r-- 1 sopwith wheel 623403 Aug 30 1995 RaPlayer_1.0_PPC.hqx
-rw-r--r-- 1 111 wheel 486 Feb 7 1996 campus.html
drwxr-sr-x 3 root wheel 512 Mar 24 1996 linux
drwxr-xr-x 2 web wheel 512 Oct 8 1995 sdatest
-rw-r----- 1 111 wheel 3180991 Apr 20 1996 wcnav.exe
pub/linux:
total 1
drwxr-sr-x 2 root wheel 512 Mar 24 1996 netrpm
pub/linux/netrpm:
total 4
-rw-r--r-- 1 sopwith wheel 3748 Mar 24 1996 netrpm-0.8.tar.gz
pub/sdatest:
total 3
-rw------- 1 web users 1130 Oct 8 1995 churchletter
-rw-r--r-- 1 web users 63 Oct 8 1995 testpage.html
usr:
total 1
drwxr-xr-x 2 root bin 512 Aug 16 1995 lib
usr/lib:
total 552
-r-xr-xr-x 1 root bin 40960 Aug 16 1995 ld.so
-rwxr-xr-x 1 root bin 516096 Aug 16 1995 libc.so.1.6
Are you sure something didn't go weird?
-- Elliot
http://www.redhat.com/
--
PLEASE read the Red Hat FAQ, Tips, HOWTO and the MAILING LIST ARCHIVES!
________________________________________________________________________
http://www.redhat.com/RedHat-FAQ http://www.redhat.com/RedHat-HOWTO
http://www.redhat.com/RedHat-Tips http://www.redhat.com/mailing-lists
------------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe redhat-list-request@redhat.com < /dev/null
