Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 13 Sep 2016 14:07:09 -0700
From:      "Ronald F. Guilmette" <rfg@tristatelogic.com>
To:        freebsd-security@freebsd.org
Subject:   ftpd leaks info which might be useful to an attacker
Message-ID:  <68595.1473800829@segfault.tristatelogic.com>

next in thread | raw e-mail | index | archive | help

I've been moving all of my stuff over to a shiny new VM that I've
purchased, and in the process I am having to revisit various
configuration decisions I made 10 years ago or more.

One set of such decisions has to do with the following files:

    ~ftp/etc/group
    ~ftp/etc/pwd.db

Thinking about how the contents of these files affects the behavior of
the ftp DIR command caused me to realize that I actually would prefer
it if there were some some option available for ftpd which would cause
it to display only something like ---- where it currently attempts to
print either a user ID name or number or a group ID name or number.

I should perhaps mention that I'm using the -A option to ftpd, and that
thus, pretty much any Tom, dick, and harry on the whole Internet will
be able to log in (as anonymous) to my FTP server and then scrounge
around for intersting stuff.  I would kind of prefer if the stuff that
any such party could find would _not_ include actual user or group IDs,
or even numeric UIDs/GIDs.

So, um, anybody else agree that it might be Better if ftpd could be
coerced into not leaking this kind fo account information?



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?68595.1473800829>