Date: Mon, 13 Feb 2006 18:44:49 +0600 (NOVT) From: "Vadim S. Goncharov" <vadim_nuclight@mail.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: conf/93284: Insecure placement of user ftp into operator group (.snap directories access) Message-ID: <200602131244.k1DCinJS046295@hostel.avtf.net> Resent-Message-ID: <200602131250.k1DCo4Pq078655@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 93284 >Category: conf >Synopsis: Insecure placement of user ftp into operator group (.snap directories access) >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Feb 13 12:50:03 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Vadim S. Goncharov >Release: FreeBSD 5.4-STABLE i386 >Organization: AVTF TPU Hostel, Tomsk, Russia >Environment: System: FreeBSD hostel.avtf.net 5.4-STABLE FreeBSD 5.4-STABLE #2: Tue Jan 31 15:05:09 NOVT 2006 vadim@hostel.avtf.net:/usr/obj/usr/src/sys/HOSTEL i386 >Description: sysinstall(8) asks (when configuring) about enabling anonymous ftp, and if so, create user ftp witf uid 14 and places it into group operator (gid 5). But UFS2 partitions after nefws by default have .snap subdirectory with root:operator ownership and mode 775. Thus, if you create separate partition for your ftp (good practice), .snap will be writeable by anonymous users, even if all other data on your ftp is in read-only public access (very bad). As a side effect, placing ftp user in such important system group as operator can have other security implications. >How-To-Repeat: Answer "yes" to question about enabling anonymous ftp and mount eralier created (at disklabel stage) UFS2 partition to /var/ftp - anonymous users will be able to write to .snap subdirectory. >Fix: Create group ftp with gid=21 and assign this group as primary for user ftp. Suggested src/conf fix is to make default separate group for ftp already in base system (and teach sysinstall about it), as it is already done with users www, news, etc. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200602131244.k1DCinJS046295>