Bugtraq mailing list archives
Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client
From: ley () CERT DFN DE (Wolfgang Ley)
Date: Thu, 6 Nov 1997 17:37:44 +0100
-----BEGIN PGP SIGNED MESSAGE----- Lutz Donnerhacke wrote:
[...]
I also wonder about IBM's answer: SOLUTION: Remove the setuid bit from the "ftp" command. On our 4.2.1, ftp will not run if it is not suid. Didn't somebody test this?Yep. ftp does not need suid: -rwxr-xr-x 1 root root /bin/ftp* -rwxr-xr-x 1 root root /usr/bin/ncftp* DFN-CERT corrected the solution of IBM. It was a false statment according to them.
We contacted IBM before forwarding the advisory to our site security contacts (because removing the setuid bit won't fix the problem). In our introduction we said that the information in the bulltin SOLUTION: Remove the setuid bit from the "ftp" command. was wrong and should be replaced by SOLUTION: Apply fixes listed below. This correction statement was the result of our discussion with IBM. Removing the setuid-bit has the result that only root is able to use the original AIX ftp client (because there are some audit functions in the ftp client which do require the root privs --- don't ask me why and I certainly think that this is broken design, too). This mail is just to let you know that we haven't corrected the bulletin in a way to suggest removing the setuid bit (although I would prefer this, but test have shown problems with this additional security precaution). Bye, Wolfgang Ley (DFN-CERT) - -- Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany Email: ley () cert dfn de Phone: +49 40 5494-2262 Fax: +49 40 5494-2241 PGP-Key available via finger ley () ftp cert dfn de any key-server or via WWW from http://www.cert.dfn.de/~ley/ ...have a nice day -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBNGHyVQQmfXmOCknRAQEXrQP/UXoVTwA2G9wcmrGTW0AnFla9lcFWBIu9 a7AwLoEGg+GuQ7I4XqDJpb/XBg+dcJThB7oTknsFgtgPQwVQXP4O37yLBoRsRKXZ 88tA6ZX6/PRqvlmLVatmkHNARoWIOgSnRMgjOXZFJO/WAPEo93TyZoH+PaD5cFSf DjR3Vug2XkU= =g3lp -----END PGP SIGNATURE-----
Current thread:
- Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client af () C4C COM (Nov 03)
- <Possible follow-ups>
- Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client Lutz Donnerhacke (Nov 04)
- netapp NFS server crash by FreeBSD client [w/patch] Dmitry Kohmanyuk Дмитрий Кохманюк (Nov 05)
- simptcp hotfix renewed on 03/11/1997 Yves Kreis (Nov 05)
- Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client Wolfgang Ley (Nov 06)
- HPSBUX9710-072 Sec. Vulnerability in CDE on HP-UX 10.[10, 20, Aleph One (Nov 06)
- Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client Troy A. Bollinger (Nov 06)
- Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client Giulio E. D. Botto (Nov 04)