From owner-freebsd-security Mon Apr 23 7:54:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 3173F37B43C for ; Mon, 23 Apr 2001 07:54:27 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id QAA49573; Mon, 23 Apr 2001 16:54:22 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Victor Sudakov Cc: freebsd-security@freebsd.org Subject: Re: Q: Impact of globbing vulnerability in ftpd References: <20010423111632.B17342@sibptus.tomsk.ru> <20010423190737.A25969@sibptus.tomsk.ru> From: Dag-Erling Smorgrav Date: 23 Apr 2001 16:54:22 +0200 In-Reply-To: <20010423190737.A25969@sibptus.tomsk.ru> Message-ID: Lines: 27 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Victor Sudakov writes: > On Mon, Apr 23, 2001 at 12:16:44PM +0200, Dag-Erling Smorgrav wrote: > > > As far as I understand, it can be exploited only after a user has > > > logged in, so ftpd is already chrooted > > Not necessarily. > Anonymous account is always chrooted. I think you have to play > with the source to disable this. The logged-in user is not necessarily anonymous. > > Run arbitrary code on the target machine, which may perform operations > > (such as creating new directories to store warez) which the FTP server > > normally doesn't allow the user to perform, > How is this possible if ftpd drops root privileges after > successful login? I didn't claim the code would run as root. It would run as the logged-in user, or user "ftp" in case of an anonymous login. > So, if the users already have shell accounts, this security hole > does not matter for me, does it? Probably not. Depends on your anonftp setup. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message