[1995] in bugtraq
Re: Exploit for Linux wu.ftpd hole
daemon@ATHENA.MIT.EDU (Marek Michalkiewicz)
Thu Jul 6 21:49:13 1995
Date: Thu, 6 Jul 1995 13:59:39 +0200
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
X-To: BUGTRAQ%CRIMELAB.COM@plearn.edu.pl
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <Pine.LNX.3.91.950705184600.3247A-100000@rapture.cyberflunk.com>
from "bt" at Jul 5, 95 06:46:58 pm
bt:
> You have to run as root to setuid to the user, to open the log files,
> and to chroot (for anon) to the ftp dir.. of course after login, root
> privs are not really needed.
They are needed to create ftp-data sockets (privileged port number).
That's why ftpd runs (most of the time) with the effective uid of the
user who is logged in, but real uid 0 (so that it can get root privs
for a while, to create a socket). But no external program (like ls,
gzip, tar, ...) needs to run as root - there should be something like
setgid(getegid()); setuid(geteuid()); between fork and exec in ftpd_popen.
This would prevent the slackware hole from giving root access.
Comments?
Marek Michalkiewicz
