From owner-freebsd-security  Mon Apr 23  7:54:30 2001
Delivered-To: freebsd-security@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by hub.freebsd.org (Postfix) with ESMTP id 3173F37B43C
	for <freebsd-security@freebsd.org>; Mon, 23 Apr 2001 07:54:27 -0700 (PDT)
	(envelope-from des@ofug.org)
Received: (from des@localhost)
	by flood.ping.uio.no (8.9.3/8.9.3) id QAA49573;
	Mon, 23 Apr 2001 16:54:22 +0200 (CEST)
	(envelope-from des@ofug.org)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
  coincide with those of any organisation or company with
  which I am or have been affiliated.
To: Victor Sudakov <sudakov@sibptus.tomsk.ru>
Cc: freebsd-security@freebsd.org
Subject: Re: Q: Impact of globbing vulnerability in ftpd
References: <20010423111632.B17342@sibptus.tomsk.ru>
	<xzpitjvgbub.fsf@flood.ping.uio.no>
	<20010423190737.A25969@sibptus.tomsk.ru>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 23 Apr 2001 16:54:22 +0200
In-Reply-To: <20010423190737.A25969@sibptus.tomsk.ru>
Message-ID: <xzpae57fyzl.fsf@flood.ping.uio.no>
Lines: 27
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Victor Sudakov <sudakov@sibptus.tomsk.ru> writes:
> On Mon, Apr 23, 2001 at 12:16:44PM +0200, Dag-Erling Smorgrav wrote:
> > > As far as I understand, it can be exploited only after a user has
> > > logged in, so ftpd is already chrooted
> > Not necessarily.
> Anonymous account is always chrooted. I think you have to play
> with the source to disable this.

The logged-in user is not necessarily anonymous.

> > Run arbitrary code on the target machine, which may perform operations
> > (such as creating new directories to store warez) which the FTP server
> > normally doesn't allow the user to perform, 
> How is this possible if ftpd drops root privileges after
> successful login?

I didn't claim the code would run as root.  It would run as the
logged-in user, or user "ftp" in case of an anonymous login.

> So, if the users already have shell accounts, this security hole
> does not matter for me, does it?

Probably not.  Depends on your anonftp setup.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message