From owner-freebsd-bugs Fri Mar 16 3:10: 7 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 6289A37B719 for ; Fri, 16 Mar 2001 03:10:02 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f2GBA2L06290; Fri, 16 Mar 2001 03:10:02 -0800 (PST) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 3C39B37B71A for ; Fri, 16 Mar 2001 03:04:08 -0800 (PST) (envelope-from nobody@FreeBSD.org) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f2GB48x03389; Fri, 16 Mar 2001 03:04:08 -0800 (PST) (envelope-from nobody) Message-Id: <200103161104.f2GB48x03389@freefall.freebsd.org> Date: Fri, 16 Mar 2001 03:04:08 -0800 (PST) From: tedm@toybox.placo.com To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: misc/25851: Security hole in anonymous FTP setup script Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 25851 >Category: misc >Synopsis: Security hole in anonymous FTP setup script >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Mar 16 03:10:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: Ted Mittelstaedt >Release: Release 4.2 >Organization: >Environment: FreeBSD mail.freebsd-corp-net-guide.com 4.2-RELEASE FreeBSD 4.2-RELEASE #7: Wed Mar 14 03:53:01 PST 2001 tedm@mail.freebsd-corp-net-guide.com:/usr/src/sys/c ompile/MAILSERV i386 >Description: If /stand/sysinstall is run AFTER users are added to the system, and used to setup anonymous FTP, as part of it's setup routine it copies the system /etc/group to /var/ftp/etc. The problem is that by then the system's /etc/group file has been populated with the userID's of local users that are in the "wheel" group. This allows an anonymous user to obtain a list of all users on the system who are authorized to su to the root user. It may also give an attacker a list of all userID's on the sytem, depending on how many userID's are in the system /etc/group file by then. This represents an unnecessary release of information to a remote attacker. >How-To-Repeat: Populate /etc/group with userID's in the system then run /stand/sysinstall and select Network services then select Setup Anonymous FTP. >Fix: I would suggest that during the setup, the anonymous FTP setup script strip out the users listed on each one of the group lines, as this information is not needed for operation of anonymous FTP. Another possibility would be to use a dummy group file with just the default groups in it that was embedded in the setup script. Even if the existing behavior was left intact and a warning was put up this would be better than nothing. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message