Date: Fri, 16 Mar 2001 03:04:08 -0800 (PST) From: tedm@toybox.placo.com To: freebsd-gnats-submit@FreeBSD.org Subject: misc/25851: Security hole in anonymous FTP setup script Message-ID: <200103161104.f2GB48x03389@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 25851 >Category: misc >Synopsis: Security hole in anonymous FTP setup script >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Mar 16 03:10:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: Ted Mittelstaedt >Release: Release 4.2 >Organization: >Environment: FreeBSD mail.freebsd-corp-net-guide.com 4.2-RELEASE FreeBSD 4.2-RELEASE #7: Wed Mar 14 03:53:01 PST 2001 tedm@mail.freebsd-corp-net-guide.com:/usr/src/sys/c ompile/MAILSERV i386 >Description: If /stand/sysinstall is run AFTER users are added to the system, and used to setup anonymous FTP, as part of it's setup routine it copies the system /etc/group to /var/ftp/etc. The problem is that by then the system's /etc/group file has been populated with the userID's of local users that are in the "wheel" group. This allows an anonymous user to obtain a list of all users on the system who are authorized to su to the root user. It may also give an attacker a list of all userID's on the sytem, depending on how many userID's are in the system /etc/group file by then. This represents an unnecessary release of information to a remote attacker. >How-To-Repeat: Populate /etc/group with userID's in the system then run /stand/sysinstall and select Network services then select Setup Anonymous FTP. >Fix: I would suggest that during the setup, the anonymous FTP setup script strip out the users listed on each one of the group lines, as this information is not needed for operation of anonymous FTP. Another possibility would be to use a dummy group file with just the default groups in it that was embedded in the setup script. Even if the existing behavior was left intact and a warning was put up this would be better than nothing. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103161104.f2GB48x03389>