Bugtraq mailing list archives

wu-ftpd 2.4.2-beta-13 default UMASK hole

From: stevev () HEXADECIMAL UOREGON EDU (Steve VanDevender)
Date: Wed, 11 Jun 1997 12:28:29 -0700


Roy M. Hooper writes:

The default umask for wu-ftpd 2.4.2-beta-13 is 002.
Since most users on most sites are in the same group, all files created by
users PUTting files would be group writeable by anyone.  Not a good thing.

The offending code is in "ftpd.c" line 259:
#if !defined(CMASK) || CMASK == 0
#undef CMASK
#define CMASK 002
#endif

Changing CMASK 002 to CMASK 022 will fix this.


If you aren't easily able to recompile your wu-ftpd, but you are able to
edit its entry in inetd.conf, invoking it with the switch "-u022" will
also let you set the default umask to 022 (you can even use "-u077", if
you're feeling paranoid or fascist).

Current thread:

wu-ftpd 2.4.2-beta-13 default UMASK hole Roy M. Hooper (Jun 11)
- wu-ftpd 2.4.2-beta-13 default UMASK hole Steve VanDevender (Jun 11)
- Re: wu-ftpd 2.4.2-beta-13 default UMASK hole George Staikos (Jun 11)
- Denial of service (qmail-smtpd) Frank DENIS -Jedi/Sector One- (Jun 11)
- qmail-dos-2.c, another denial of service attack Frank DENIS -Jedi/Sector One- (Jun 11)
- DNS abuse Jordi Murgo (Jun 11)
- Solaris x86 buffer overflows jim bresler (Jun 12)
- CERT Advisory CA-97.18 - Vulnerability in the at(1) program Aleph One (Jun 12)
  - Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Rick Byers (Jun 12)
    - Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program The Nolander (Jun 12)
    - Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Thomas Koenig (Jun 14)
    - Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Adam Morrison (Jun 15)

(Thread continues...)