From owner-freebsd-security  Tue Aug 11 13:34:59 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA29565
          for freebsd-security-outgoing; Tue, 11 Aug 1998 13:34:59 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from gateway.cybernet.com (gateway.cybernet.com [192.245.33.1])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA29559
          for <freebsd-security@freebsd.org>; Tue, 11 Aug 1998 13:34:57 -0700 (PDT)
          (envelope-from mtaylor@cybernet.com)
Received: from spiffy.cybernet.com (spiffy.cybernet.com [192.245.33.55]) by gateway.cybernet.com (8.8.5/8.8.5) with ESMTP id QAA12750 for <freebsd-security@freebsd.org>; Tue, 11 Aug 1998 16:53:52 -0400 (EDT)
Message-ID: <XFMail.980811163822.mtaylor@cybernet.com>
X-Mailer: XFMail 1.3 [p0] on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
Date: Tue, 11 Aug 1998 16:38:22 -0400 (EDT)
Reply-To: mtaylor@cybernet.com
Organization: Cybernet Systems
From: "Mark J. Taylor" <mtaylor@cybernet.com>
To: freebsd-security@FreeBSD.ORG
Subject: Possible security "risk" in ftp client
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


The neat-o FTP client program in FreeBSD "/usr/bin/ftp" has a
cool but horrible feature:  you can specify the user name and
password to use via the command line (in the URL), as in:
  /usr/bin/ftp ftp://myname@mypass/ftp.freebsd.org/

This is actually quite bad: any "ps -ax" will show the username
and password.  Using setproctitle(3) would be an attempt to close
this, but it would create a race condition.

The program "/usr/bin/fetch" does it better: use the environment
variables FTP_LOGIN and FTP_PASSWORD.

SAMBA's smbclient does it both ways: using the command-line param
"-Uusername%password" or using the USER environment variable.
It will even parse the password from the USER environment variable if
there is a "%" in it.


Is there any possibility of making a man page annotation that lists
this "hole"?  And of getting in a patch that uses the environment?
I can do the work, unless someone else would rather do it...



--------------------------------------------------------------------
Mark J. Taylor                                  Networking Research
Cybernet Systems                                mtaylor@cybernet.com
727 Airport Blvd.                               PHONE (734) 668-2567
Ann Arbor, MI  48108                            FAX   (734) 668-8780
--------------------------------------------------------------------

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message