From owner-freebsd-security  Mon Apr 23 18:57:30 2001
Delivered-To: freebsd-security@freebsd.org
Received: from sibptus.tomsk.ru (sibptus.tomsk.ru [213.59.238.16])
	by hub.freebsd.org (Postfix) with ESMTP id 06B8F37B43C
	for <freebsd-security@freebsd.org>; Mon, 23 Apr 2001 18:57:27 -0700 (PDT)
	(envelope-from sudakov@sibptus.tomsk.ru)
Received: (from sudakov@localhost)
	by sibptus.tomsk.ru (8.9.3/8.9.3) id JAA40687;
	Tue, 24 Apr 2001 09:57:00 +0800 (KRAST)
	(envelope-from sudakov)
Date: Tue, 24 Apr 2001 09:57:00 +0800
From: Victor Sudakov <sudakov@sibptus.tomsk.ru>
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: freebsd-security@freebsd.org
Subject: Re: Q: Impact of globbing vulnerability in ftpd
Message-ID: <20010424095700.A40591@sibptus.tomsk.ru>
References: <20010423111632.B17342@sibptus.tomsk.ru> <xzpitjvgbub.fsf@flood.ping.uio.no> <20010423190737.A25969@sibptus.tomsk.ru> <xzpae57fyzl.fsf@flood.ping.uio.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <xzpae57fyzl.fsf@flood.ping.uio.no>; from des@ofug.org on Mon, Apr 23, 2001 at 04:54:22PM +0200
Organization: AO "Svyaztransneft", SibPTUS
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Apr 23, 2001 at 04:54:22PM +0200, Dag-Erling Smorgrav wrote:
> > > > As far as I understand, it can be exploited only after a user has
> > > > logged in, so ftpd is already chrooted
> > > Not necessarily.
> > Anonymous account is always chrooted. I think you have to play
> > with the source to disable this.
> 
> The logged-in user is not necessarily anonymous.

In my installations, a user is always chrooted, unless he/she has
a shell account anyway.

> 
> > > Run arbitrary code on the target machine, which may perform operations
> > > (such as creating new directories to store warez) which the FTP server
> > > normally doesn't allow the user to perform, 
> > How is this possible if ftpd drops root privileges after
> > successful login?
> 
> I didn't claim the code would run as root.  It would run as the
> logged-in user, or user "ftp" in case of an anonymous login.

The security advisory claims that. So I became interested.

> 
> > So, if the users already have shell accounts, this security hole
> > does not matter for me, does it?
> 
> Probably not.  Depends on your anonftp setup.

Anonftp is always chrooted :)

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/149@fidonet http://vas.tomsk.ru/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message