[2032] in bugtraq
Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4)
daemon@ATHENA.MIT.EDU (Marek Michalkiewicz)
Thu Jul 13 00:56:40 1995
Date: Wed, 12 Jul 1995 17:49:07 +0200
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
X-To: BUGTRAQ%CRIMELAB.COM@plearn.edu.pl
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <9507121234.AA25802@utctu8.ct.utwente.nl> from "Henri Karrenbeld"
at Jul 12, 95 01:34:10 pm
Henri Karrenbeld:
> People with local ftp access can use the filedescriptors in /proc of
> the iwu.)ftpd process (which is running under their euid) to read and append
> to files to which they should not have access. This gives write permission
> to /var/adm/wtmp and read access to /etc/shadow, if your ftpd is hacked
This is a known problem with Linux /proc. Fixed in 1.2.11, introducing
a minor misfeature (ps shows ftpd always running as root). I hope 1.2.12
(if, when) will fix it better.
1.2.11 makes everything in /proc/pid owned by root if real and effective
uid (or gid) of the process are different, or if the dumpable flag is
cleared (it is cleared for setuid and setgid programs). This disallows
access to /proc/pid/fd.
Marek
