[2006] in bugtraq
Re: Exploit for Linux wu.ftpd hole
daemon@ATHENA.MIT.EDU (William McVey - wam)
Sat Jul 8 13:46:37 1995
Date: Fri, 7 Jul 1995 22:39:00 -0500
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: William McVey - wam <wamcvey@fedex.com>
X-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
Marek Michalkiewicz wrote:
>They are needed to create ftp-data sockets (privileged port number).
>That's why ftpd runs (most of the time) with the effective uid of the
>user who is logged in, but real uid 0 (so that it can get root privs
>for a while, to create a socket). But no external program (like ls,
>gzip, tar, ...) needs to run as root - there should be something like
>setgid(getegid()); setuid(geteuid()); between fork and exec in ftpd_popen.
>This would prevent the slackware hole from giving root access.
>
>Comments?
Binding to a privileged port is what inetd is good for. Still no
reason for ftpd to be root other than to do a chroot. After the chroot
(which should happen in the first few executed statements), ftpd
should drop to some other user, like "ftp."
-- William
