[15780] in bugtraq
proftpd non-root patch
daemon@ATHENA.MIT.EDU (Lamagra Argamal)
Fri Jul 14 14:03:38 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=====================_889472414==_"
Message-Id: <20000714104906.31736.qmail@fiver.freemessage.com>
Date: Fri, 14 Jul 2000 10:49:06 -0000
Reply-To: Lamagra Argamal <lamagra@HACKERMAIL.NET>
From: Lamagra Argamal <lamagra@HACKERMAIL.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
--=====================_889472414==_
Content-Type: text/plain; charset="us-ascii"
When a proftpd server is running on a high port (> 1024), it doesn't need root priviledges anymore to bind a dataconnection to the ftpport-1. My patch checks for this and drops uid 0 after authentication.
The next snippets are from my proftp-1.2 running on port 2021.
<-snip->
[root@bubbles proftpd-1.2]# ps uax|grep proftpd
lamagra 490 1.5 1.0 1376 1008 ? S 09:28 0:00 proftpd: lamagra - lo
nobody 487 0.0 0.8 1356 776 ? S 09:28 0:00 proftpd (accepting co
[root@bubbles proftpd-1.2]# grep Uid /proc/490/status
Uid: 500 500 500 500
[root@bubbles proftpd-1.2]# grep Gid /proc/490/status
Gid: 500 500 500 500
<-snap->
As you can see it runs fully without priviledges after authenctication.
---> If you don't like non-standard things, stop reading here <--
My patch also includes an extra option: by setting the option "NonrootServer" on in the configfile of proftpd, it doesn't use ftpport-1 as a dataport. It becomes replaced with a dynamicly assigned (by the kernel) port, these are
high ports. If this feature is selected all priviledges are dropped after authentication. As seen in the next snippet.
<-snip->
tcp 1 0 localhost:1285 localhost:1284 TIME_WAIT
This is the dataconnection binded to a high port.
ftp 527 0.0 0.8 1396 848 ? S 09:31 0:00 proftpd: ftp - localh
Uid: 14 14 14 14
In proftpd.conf:
NonrootServer on
<-snap->
I don't see any problems with this except that the rfc says ftpport-1. If anyone can see a problem, please contact me as I'd like to know.
-lamagra
http://lamagra.seKure.de
Send someone a cool Dynamitemail flashcard greeting!! And get rewarded.
GO AHEAD! http://cards.dynamitemail.com/index.php3?rid=fc-41
--=====================_889472414==_
Content-Type: application/octet-stream; name="proftp.patch"
Content-Transfer-Encoding: base64
Content-Description: proftp.patch
Content-Disposition: attachment; filename="proftp.patch"
LS0tIG1vZHVsZXMub2xkL21vZF9hdXRoLmMJVGh1IEp1bCAxMyAxNTo0Njoz
MSAyMDAwCisrKyBtb2R1bGVzL21vZF9hdXRoLmMJVGh1IEp1bCAxMyAxODo1
MjowOSAyMDAwCkBAIC0xMDA0LDYgKzEwMDQsMTMgQEAKICAgfQogI2VuZGlm
CiAKKyAgIGlmKG1haW5fc2VydmVyLT5TZXJ2ZXJQb3J0ID4gMTAyNCB8fCBn
ZXRfcGFyYW1faW50KFRPUExFVkVMX0NPTkYsIk5vbnJvb3RTZXJ2ZXIiLEZB
TFNFKSA9PSAxKQorICAgeworICAgICAgICBsb2dfcHJpKExPR19OT1RJQ0Us
IlJlbW92aW5nIGFsbCBwcml2aWxlZGdlcyIsc2V0cmV1aWQoc2Vzc2lvbi5s
b2dpbl91aWQsc2Vzc2lvbi5sb2dpbl91aWQpKTsKKyAgICAgICAgc2Vzc2lv
bi5vdWlkID0gc2Vzc2lvbi51aWQ7CisgICAgICAgIHNlc3Npb24uZGlzYWJs
ZV9pZF9zd2l0Y2hpbmcgPSBUUlVFOworICAgfQorCiAgIC8qCiAgICAqICBz
ZXNzaW9uLnVpZCA9IHB3LT5wd191aWQ7CiAgICAqLwoKLS0tIG1vZHVsZXMu
b2xkL21vZF9jb3JlLmMJVGh1IEp1bCAxMyAxNTo0NjozMSAyMDAwCisrKyBt
b2R1bGVzL21vZF9jb3JlLmMJVGh1IEp1bCAxMyAxODoxMzo0NCAyMDAwCkBA
IC0xMzIsNiArMTMyLDM0IEBACiAgIHJldHVybiBIQU5ETEVEKGNtZCk7CiB9
CiAKK01PRFJFVCBzZXRfbm9ucm9vdChjbWRfcmVjICpjbWQpCit7CisgIGlu
dCBiOworICBzZXJ2ZXJfcmVjICpzOworCisgIENIRUNLX0FSR1MoY21kLDEp
OworICBDSEVDS19DT05GKGNtZCxDT05GX1JPT1QpOworCisgIGlmKChiID0g
Z2V0X2Jvb2xlYW4oY21kLDEpKSA9PSAtMSkKKyAgICBDT05GX0VSUk9SKGNt
ZCwiZXhwZWN0ZWQgYm9vbGVhbiBhcmd1bWVudC4iKTsKKworICBpZighYikK
KyAgeworICAgIGxvZ19kZWJ1ZyhERUJVRzEsIk5vbnJvb3RzZXJ2ZXIgb2Zm
Iik7CisgICAgcmV0dXJuIEhBTkRMRUQoY21kKTsKKyAgfQorICAKKyAgLyog
Tm9ucm9vdFNlcnZlciBpcyBub3QgYWxsb3dlZCBpZiBhbHJlYWR5IHNldCBz
b21ld2hlcmUgKi8KKyAgZm9yKHMgPSAoc2VydmVyX3JlYyopc2VydmVycy0+
eGFzX2xpc3Q7IHM7IHM9cy0+bmV4dCkKKyAgICBpZihmaW5kX2NvbmZpZyhz
LT5jb25mLENPTkZfUEFSQU0sIk5vbnJvb3RTZXJ2ZXIiLEZBTFNFKSkgewor
ICAgICAgQ09ORl9FUlJPUihjbWQsIk5vbnJvb3RTZXJ2ZXIgaGFzIGFscmVh
ZHkgYmVlbiBzZXQuIik7CisgICAgfQorCisgIGFkZF9jb25maWdfcGFyYW0o
Ik5vbnJvb3RTZXJ2ZXIiLDEsKHZvaWQqKWIpOworICBsb2dfZGVidWcoREVC
VUcxLCJOb25yb290c2VydmVyIG9uIik7CisgIHJldHVybiBIQU5ETEVEKGNt
ZCk7Cit9CisKIE1PRFJFVCBhZGRfdHJhbnNmZXJsb2coY21kX3JlYyAqY21k
KQogewogICBDSEVDS19BUkdTKGNtZCwxKTsKQEAgLTI1OTQsNiArMjYyMiw3
IEBACiAgIHsgIlNlcnZlcklkZW50IiwJCXNldF9zZXJ2ZXJpZGVudCwJCU5V
TEwgfSwKICAgeyAiU2VydmVyVHlwZSIsCQlzZXRfc2VydmVydHlwZSwJCQlO
VUxMIH0sCiAgIHsgIlNlcnZlckFkbWluIiwJCXNldF9zZXJ2ZXJhZG1pbiwJ
CU5VTEwgfSwKKyAgeyAiTm9ucm9vdFNlcnZlciIsICAgICAgICAgICAgc2V0
X25vbnJvb3QsICAgICAgICAgICAgICAgICAgICBOVUxMIH0sCiAgIHsgIlVz
ZVJldmVyc2VETlMiLAkJc2V0X3VzZXJldmVyc2VkbnMsCQlOVUxMIH0sCiAg
IHsgIlNjb3JlYm9hcmRQYXRoIiwJCXNldF9zY29yZWJvYXJkcGF0aCwJCU5V
TEwgfSwKICAgeyAiVHJhbnNmZXJMb2ciLAkJYWRkX3RyYW5zZmVybG9nLAkJ
TlVMTCB9LAoKLS0tIHNyYy5vbGQvZGF0YS5jCVRodSBKdWwgMTMgMTU6NDY6
MjUgMjAwMAorKysgc3JjL2RhdGEuYwlUaHUgSnVsIDEzIDE4OjE2OjUyIDIw
MDAKQEAgLTE3NiwxMCArMTc2LDE3IEBACiAJaWYoIXJlYXNvbiAmJiBzZXNz
aW9uLnhmZXIuZmlsZW5hbWUpCiAJCXJlYXNvbiA9IHNlc3Npb24ueGZlci5m
aWxlbmFtZTsKIAotCXNlc3Npb24uZCA9IGluZXRfY3JlYXRlX2Nvbm5lY3Rp
b24oc2Vzc2lvbi5wb29sLE5VTEwsLTEsCisgICAgICAgIGlmKGdldF9wYXJh
bV9pbnQoVE9QTEVWRUxfQ09ORiwiTm9ucm9vdFNlcnZlciIsRkFMU0UpICE9
IDEpCisJICAgIHNlc3Npb24uZCA9IGluZXRfY3JlYXRlX2Nvbm5lY3Rpb24o
c2Vzc2lvbi5wb29sLE5VTEwsLTEsCiAJCQkJCXNlc3Npb24uYy0+bG9jYWxf
aXBhZGRyLAogCQkJCQlzZXNzaW9uLmMtPmxvY2FsX3BvcnQtMSxUUlVFKTsK
LQorICAgICAgICBlbHNlCisgICAgICAgIHsKKwkgICAgc2Vzc2lvbi5kID0g
aW5ldF9jcmVhdGVfY29ubmVjdGlvbihzZXNzaW9uLnBvb2wsTlVMTCwtMSwK
KwkJCQkJc2Vzc2lvbi5jLT5sb2NhbF9pcGFkZHIsCisJCQkJCUlOUE9SVF9B
TlksVFJVRSk7CisgICAgICAgICAgIGxvZ19kZWJ1ZyhERUJVRzEsIk5vbnJv
b3QgY29ubmVjdGlvbiIpOworICAgICAgICB9CiAJLyogU2V0IHRoZSAic3Rh
bGxlZCIgdGltZXIsIGlmIGFueSwgdG8gcHJldmVudCB0aGUgY29ubmVjdGlv
bgogICAgICAgICAgKiBvcGVuIGZyb20gdGFraW5nIHRvbyBsb25nCiAgICAg
ICAgICAqLwo=
--=====================_889472414==_--
