Date: Tue, 13 Sep 2016 14:27:22 -0700 (PDT) From: Lyndon Nerenberg <lyndon@orthanc.ca> To: "Ronald F. Guilmette" <rfg@tristatelogic.com> Cc: freebsd-security@freebsd.org Subject: Re: ftpd leaks info which might be useful to an attacker Message-ID: <alpine.BSF.2.20.1609131424550.53065@orthanc.ca> In-Reply-To: <68595.1473800829@segfault.tristatelogic.com> References: <68595.1473800829@segfault.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Thinking about how the contents of these files affects the behavior of > the ftp DIR command caused me to realize that I actually would prefer > it if there were some some option available for ftpd which would cause > it to display only something like ---- where it currently attempts to > print either a user ID name or number or a group ID name or number. I would be concerned about programs that parse that output choking on a field of only hyphens. It's likely safer to just report the uid and gid as 0 (or 666, or some other made-up number of your choice). --lyndon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.20.1609131424550.53065>