[4663] in bugtraq
wu-ftpd 2.4.2-beta-13 default UMASK hole
daemon@ATHENA.MIT.EDU (Steve VanDevender)
Wed Jun 11 19:54:14 1997
Date: Wed, 11 Jun 1997 12:28:29 -0700
Reply-To: Steve VanDevender <stevev@HEXADECIMAL.UOREGON.EDU>
From: Steve VanDevender <stevev@HEXADECIMAL.UOREGON.EDU>
X-To: "Roy M. Hooper" <rhooper@TOYBOX.OTTAWA.ON.CA>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199706111606.MAA22533@toybox.ottawa.on.ca>
Roy M. Hooper writes:
> The default umask for wu-ftpd 2.4.2-beta-13 is 002.
> Since most users on most sites are in the same group, all files created by
> users PUTting files would be group writeable by anyone. Not a good thing.
>
> The offending code is in "ftpd.c" line 259:
> #if !defined(CMASK) || CMASK == 0
> #undef CMASK
> #define CMASK 002
> #endif
>
> Changing CMASK 002 to CMASK 022 will fix this.
If you aren't easily able to recompile your wu-ftpd, but you are able to
edit its entry in inetd.conf, invoking it with the switch "-u022" will
also let you set the default umask to 022 (you can even use "-u077", if
you're feeling paranoid or fascist).
