From owner-freebsd-security@freebsd.org Wed Sep 14 07:58:18 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9EB4ABDA6B6 for ; Wed, 14 Sep 2016 07:58:18 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 308FF232 for ; Wed, 14 Sep 2016 07:58:18 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from liminal.local (liminal.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3636:3bff:fed4:b0d6]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 3402A1B59 for ; Wed, 14 Sep 2016 07:58:13 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/3402A1B59; dkim=none; dkim-atps=neutral Subject: Re: ftpd leaks info which might be useful to an attacker To: freebsd-security@freebsd.org References: <68595.1473800829@segfault.tristatelogic.com> From: Matthew Seaman Message-ID: <1333775a-3398-ab93-66fe-6c381eb5c428@FreeBSD.org> Date: Wed, 14 Sep 2016 08:58:07 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <68595.1473800829@segfault.tristatelogic.com> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="M7Uo75exWSvLre1MGgerLt5kOAKaG8T1n" X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Sep 2016 07:58:18 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --M7Uo75exWSvLre1MGgerLt5kOAKaG8T1n Content-Type: multipart/mixed; boundary="Q3aVhxrtXrQnPRMFL5bhAjXMvFBU5bNQR"; protected-headers="v1" From: Matthew Seaman To: freebsd-security@freebsd.org Message-ID: <1333775a-3398-ab93-66fe-6c381eb5c428@FreeBSD.org> Subject: Re: ftpd leaks info which might be useful to an attacker References: <68595.1473800829@segfault.tristatelogic.com> In-Reply-To: <68595.1473800829@segfault.tristatelogic.com> --Q3aVhxrtXrQnPRMFL5bhAjXMvFBU5bNQR Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 13/09/2016 22:07, Ronald F. Guilmette wrote: > One set of such decisions has to do with the following files: >=20 > ~ftp/etc/group > ~ftp/etc/pwd.db >=20 > Thinking about how the contents of these files affects the behavior of > the ftp DIR command caused me to realize that I actually would prefer > it if there were some some option available for ftpd which would cause > it to display only something like ---- where it currently attempts to > print either a user ID name or number or a group ID name or number. Why is this a problem, given that all the user and group IDs your ftpd will display come from the private files in your chroot? You can make the ownership of the files under ~ftp anything you want, and you can make them appear as anything you want. In practice I'd make everything owned by root:wheel, unless you want to support uploading, in which case *only* the area files can be uploaded to should be made owned by ftpd and writable by that UID. Some sort of cron job running chown and chmod recursively over that collection to enforce this would be a good idea. > I should perhaps mention that I'm using the -A option to ftpd, and that= > thus, pretty much any Tom, dick, and harry on the whole Internet will > be able to log in (as anonymous) to my FTP server and then scrounge > around for intersting stuff. I would kind of prefer if the stuff that > any such party could find would _not_ include actual user or group IDs,= > or even numeric UIDs/GIDs. Basically don't mix anonymous access with password authenticated access. Also, don't use password access with *plaintext* protocols like FTP. About the only useful way to use FTP any more is for anonymous read-only access to download stuff from an archive -- and in that use case, a web server is generally a much better choice. FTP as a protocol is archaic and needs to die. Cheers, Matthew --Q3aVhxrtXrQnPRMFL5bhAjXMvFBU5bNQR-- --M7Uo75exWSvLre1MGgerLt5kOAKaG8T1n Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJX2QMVXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkAT3DgP/joaPF8Iv3qxfdNdqGTpQ+qt 21oa/5ajfcDQAPKtIzD8wUS/xisTy8TM5Xh1ydoqF2FW/x4WGcfU3rPrnwIkjVwj dZy3vUoXOTIuRC7+n6wAI/xFbp4FB/fhEkNJDBbl1aT0nokGry9sMSe0mfgEbym9 9v7JjBIrAJnxtIPe7mD28P2AQa94uHMS/QID8XiK/VxnH6ySNjP9bOiTQXtFzr31 JY3sYrIamEelS623rtFoyA5BbVezxw48pz+vCufx4VV3TkT5eW+7nXkIAEzKGoNj BCUyWy8U5qzIVuXF5tFqdWOsl+8KGyUkwP9VKneoMXtB7gUrOB6+mHcbbec8Jm3K SY8dE0P4w9l4zqIi/SI52fUp+D7CF9hbV1heHvl15bsVlRI/eJY7akpGCcQXYgL7 AXA0WfDB4bgCZA+V/QCNQVenCE3CxKW+usnCBo1/0ZoLOHJo74UW5RqDyHguW8f0 VivAa83vORjXMKWkBUBS1tmoD3u7a+o5jwM0iCGLC4fTqgxT5BGNiJ/FGS69fYjt aGyJZ347pr8hI3bOokKKHTMKhGTAeXwzg30GfbWbHcAplDTpd4LcT5SRhIBTxjWr P5hjdJE4jl0bjVv2yGnM/9ek+OFtnhKQE+Z8WWsabaxRuX+NPXegZaut16X5BTNC 7ODpByT0taPTbbwBgPrS =RtHo -----END PGP SIGNATURE----- --M7Uo75exWSvLre1MGgerLt5kOAKaG8T1n--