Re: Exploit for Linux wu.ftpd hole

[mouse () Collatz McRCIM McGill EDU (der Mouse)]

[By the way, I keep seeing different addresses for bugtraq in headers.
What's the correct current address?]

> > You have to run as root to setuid to the user, to open the log
> > files, and to chroot (for anon) to the ftp dir.. of course after
> > login, root privs are not really needed.
> They are needed to create ftp-data sockets (privileged port number).

True.  And unfortunate.  Personally, I think use of the default data
port has outlived its usefulness, and would _almost_ be willing to put
up an FTP daemon that permanently threw away all privilege soon after
startup, and required use of PORT or PASV for data transfers.

But quite aside from that, ftpd doesn't really need root access for its
data port.  Cheswick & Bellovin, in their (incidentally excellent)
book, point out that this can be done with an auxiliary program, either
a long-running daemon listening to a private well-known port, or a tiny
setuid-root program execed by ftpd.  (The former version requires an OS
capable of passing file descriptors (aka "access rights") through
sockets.)  This program takes a socket bound to the ftp control port
and returns a socket bound to the ftp data port.  Hard to abuse (I'd
say "impossible", but I know better than to make such blanket claims)
and small enough to be trusted.

Of course, the _real_ problem is that the privilege model used by UNIX
(ie, all-or-nothing, root or normal user) is being used well outside
its design environment, and the mismatch is showing.

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu