Date: Tue, 13 Sep 2016 14:07:09 -0700 From: "Ronald F. Guilmette" <rfg@tristatelogic.com> To: freebsd-security@freebsd.org Subject: ftpd leaks info which might be useful to an attacker Message-ID: <68595.1473800829@segfault.tristatelogic.com>
next in thread | raw e-mail | index | archive | help
I've been moving all of my stuff over to a shiny new VM that I've purchased, and in the process I am having to revisit various configuration decisions I made 10 years ago or more. One set of such decisions has to do with the following files: ~ftp/etc/group ~ftp/etc/pwd.db Thinking about how the contents of these files affects the behavior of the ftp DIR command caused me to realize that I actually would prefer it if there were some some option available for ftpd which would cause it to display only something like ---- where it currently attempts to print either a user ID name or number or a group ID name or number. I should perhaps mention that I'm using the -A option to ftpd, and that thus, pretty much any Tom, dick, and harry on the whole Internet will be able to log in (as anonymous) to my FTP server and then scrounge around for intersting stuff. I would kind of prefer if the stuff that any such party could find would _not_ include actual user or group IDs, or even numeric UIDs/GIDs. So, um, anybody else agree that it might be Better if ftpd could be coerced into not leaking this kind fo account information?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?68595.1473800829>