Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 14 Oct 1996 18:30:18 -0700
From:      Jason Downs <downsj@teeny.org>
To:        Marc Slemko <marcs@znep.com>
Cc:        freebsd-bugs@freefall.freebsd.org
Subject:   Re: bin/1805: Bug in ftpd 
Message-ID:  <199610150130.SAA09758@threadway.teeny.org>
In-Reply-To: Your message of "Mon, 14 Oct 1996 11:20:02 PDT." <199610141820.LAA14810@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message <199610141820.LAA14810@freefall.freebsd.org>,
	Marc Slemko writes:
>The following reply was made to PR bin/1805; it has been noted by GNATS.
>
>From: Marc Slemko <marcs@znep.com>
>To: rkozak@bdk.lublin.pl
>Cc: freebsd-gnats-submit@freebsd.org
>Subject: Re: bin/1805: Bug in ftpd
>Date: Mon, 14 Oct 1996 12:11:11 -0600 (MDT)
>
> On Mon, 14 Oct 1996 rkozak@bdk.lublin.pl wrote:
> 
> > While user is connected to server via ftp, the process ftpd is owned
> > by this user. When ftpd is abnormally termineted (e.g. kill -11 <ftpd-id>)
> > the memory image of this process is writed to file ftpd.core in home dir.
> > This file contain encrypted passwords all users on this machine.
> 
> That isn't nice.  I don't think it will contain the passwords of all the
> users, just a certain subset of them.  This also a problem with older
> versions of wuftpd, but the latest beta seems to be fine, although I'm not
> sure if that is just a fluke or by design. There are several possible
> fixes, but for those that need a temporary fix ASAP, a workaround follows. 
> There should be no security problems with this, but there could be
> something I'm missing.

I don't think disabling core dumps is a very clean or effective fix for this
problem.  a.) the problem is potentially wide spread, and b.) is caused by
the design (limitations) of the DB library.

The problem was killed by making essentially a one line change in the OpenBSD 
source tree.  A slight performance hit is exchanged for greater overall 
security.


-- 
Jason Downs		   (503) 256-8535 -/- (503) 952-3749
downsj@teeny.org  --> teeny.org: Free Software for a Free Internet <--
			     http://www.teeny.org/
	     OpenBSD: The BSD with a soul.  http://www.openbsd.org/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610150130.SAA09758>