Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 16 Mar 2001 03:04:08 -0800 (PST)
From:      tedm@toybox.placo.com
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   misc/25851: Security hole in anonymous FTP setup script
Message-ID:  <200103161104.f2GB48x03389@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         25851
>Category:       misc
>Synopsis:       Security hole in anonymous FTP setup script
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 16 03:10:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Ted Mittelstaedt
>Release:        Release 4.2
>Organization:
>Environment:
FreeBSD mail.freebsd-corp-net-guide.com 4.2-RELEASE FreeBSD 4.2-RELEASE #7: Wed
Mar 14 03:53:01 PST 2001     tedm@mail.freebsd-corp-net-guide.com:/usr/src/sys/c
ompile/MAILSERV  i386 
>Description:
If /stand/sysinstall is run AFTER users are added to the system,
and used to setup anonymous FTP, as part of it's setup routine
it copies the system /etc/group to /var/ftp/etc.  The problem is
that by then the system's /etc/group file has been populated with
the userID's of local users that are in the "wheel" group.

This allows an anonymous user to obtain a list of all users on
the system who are authorized to su to the root user.  It may also
give an attacker a list of all userID's on the sytem, depending on
how many userID's are in the system /etc/group file by then.  This
represents an unnecessary release of information to a remote attacker.
>How-To-Repeat:
Populate /etc/group with userID's in the system then run /stand/sysinstall and select Network services then select Setup Anonymous FTP.
>Fix:
I would suggest that during the setup, the anonymous
FTP setup script strip out the users listed on each one of the
group lines, as this information is not needed for operation of
anonymous FTP.  Another possibility would be to use a 
dummy group file with just the default groups in it that was
embedded in the setup script.  Even if the existing behavior was
left intact and a warning was put up this would be better than
nothing.
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103161104.f2GB48x03389>